Cointime

Cointime

Download App
iOS & Android

An Account of the Recent White Hat Attack on DeFi Protocol Tender.fi

Validated Project

In the latest development in the world of Decentralized Finance (DeFi), Tender.fi, a DeFi lending protocol, fell victim to a white hat attack. The alleged ethical hacker behind the attack had managed to drain a whopping $1.6 million from the platform, forcing the service to halt borrowing while it attempts to recover its assets.

The attack, which took place on Mar-07-2023 at 08:21:38 AM +UTC, has caused significant concern among the DeFi community. According to Numen Cyber’s on-chain monitoring, the attacker siphoned 198 ETH, 541700 USDC, 16 WBTC, 8798 UNI, 50011 DAI, 36700 USDT, 24975 FRAX, and 16,203 LINK, causing the native token of the Tender.fi (TND) project to fall by over 30% before recovering slightly after the recovery of funds.

Timeline of Events

Tender.fi confirmed an incident on March 7th that led to the depletion of funds after various community users raised concerns. Tender.fi took to Twitter to acknowledge the issue and announced that they were investigating an unusually high amount of borrows, which led to the depletion of funds. As a result, the platform temporarily halted all borrowing activities until the investigation was complete.

The native token of Tender.fi (TND) plummeted over 30% in response to news of a suspected black hat hacking incident. The market reacted swiftly, with investors reacting to the news of the platform’s loss of funds.

Vulnerability Details

The attack on Tender.fi has exposed a critical flaw in the platform’s smart contract code, specifically its price oracle, which allowed the attacker to exploit the system and make off with $1.6 million worth of cryptocurrencies. The attacker was able to obtain tGMX tokens by purchasing them with initial funds and then proceeded to borrow using the tETH.borrow method. However, the borrowing process had an error in the price calculation, specifically in the GMXPriceOracle.getUnderlyingPrice method.

The initial price was multiplied by both 1e20 and 1e10, resulting in a significant increase in the price of tGMX tokens. This allowed the attacker to borrow large sums of money, which eventually led to the loss of millions of dollars in funds for Tender.fi.

Attacker’s address:

https://arbiscan.io/address/0x896DF3759205C141c97640B2B7345FA479FEB1aB

Transaction:

https://arbiscan.io/address/0x896DF3759205C141c97640B2B7345FA479FEB1aB

Transaction Details

Post-Mortem

Tenderfi has rewarded a bounty of 62 ETH, which is approximately 6% of the exploited funds, to the White Hat. This amount is consistent with the industry standard for rewarding white hats who find and report security vulnerabilities. The White Hat who discovered the exploit promptly notified the Tenderfi team, who then worked quickly to repay the exploited funds.

Following the transaction’s completion, Tender.fi took to Twitter to confirm that their funds were officially secure. The platform also announced that it would conduct a post-mortem analysis of the attack to identify areas of improvement and prevent similar incidents in the future. Their native token, TND has since bounced back slightly since the recovery of funds.

Conclusion

The swift and cooperative response from both the White Hat and the Tenderfi team is highly commendable. This type of collaboration between security researchers and blockchain companies is critical to creating a safer and more secure ecosystem.

DeFi Blockchain DeFi DeFi DeFi Blockchain
Comments

All Comments

Recommended for you

  • Cointime May 12 News Express

    1.The number of Bittensor subnets for the AI ​​project will increase to 64, and 1024 subnets will be achieved this year2.Trader predicts Bitcoin price will reach $350,0003.vladilena.eth redeemed 1930 weETH from Zircult, suspected of selling4.Solana’s on-chain DEX transaction volume yesterday exceeded the sum of five chains including Ethereum, BSC, and Arbitrum5.RSS3 VSL locked-in amount surged in the past two days and is close to 200 million US dollars 6.The transaction volume of Club Key on friend.tech platform exceeded 1 million7.Lido has paid out more than 516,000 ETH in staking rewards, equivalent to approximately $1.51 billion8.1,000 BTC transferred from TronDAO to an unknown new wallet9.Report: Justin Sun deposited 120,000 eETH into Swell L2, worth $376 million10.1707.36 BTC have flowed out of Binance in the past 7 days

  • Xinjiang launches special campaign to combat illegal fundraising, with key areas including virtual currency, blockchain, etc.

    According to Chang'an Xinjiang Public Account, Xinjiang Autonomous Region and Corps have launched a joint special action to crack down on illegal fund-raising, with key areas including third-party wealth management, fake private equity, fake gold exchange and other traditional fields, as well as emerging fields such as virtual currency, blockchain, cultural tourism, film and television investment, and debt resolution services. It is reported that key cases include cases involving more than 100 million yuan and cases that have been criminally filed for more than five years.

  • A British court has postponed the final sentencing of Wen Jian, a British-Chinese national involved in the country's largest Bitcoin money laundering case, until May 24.

    On May 11th, it was reported that Jian Wen, a 42-year-old British Chinese citizen, was found guilty of "participating in arranging money laundering" in the UK's largest Bitcoin money laundering case. He could be sentenced to up to 14 years in prison. Jian Wen's defense lawyer, Mark Harries, stated that due to the judge's busy schedule, the UK court has postponed Jian Wen's final sentencing, which was originally scheduled for May 10th, to May 24th.

  • Web3 startup Star Nest completes $6 million in Pre-A round of financing

    Hong Kong Web3 music startup Star Nest announced that it has completed a $6 million Pre-A round of financing, led by Chuangqi International Limited, a wholly-owned subsidiary of Hong Kong Stock Exchange-listed company Guofu Innovation. Star Nest will collaborate with Armonia Meta Chain to develop the Star Nest SpaceStar metaverse game, which includes music, role-playing, and social features.In addition, Star Nest plans to launch its NEST project in the third quarter of 2024. Nest will receive 2.1 billion NEST tokens tailored for the project, and Star Nest will use the NEST token to build a more complete music industry token economic system. The NEST token will be widely used for purchasing performance tickets, chain game cooperation, metaverse consumption, governance voting, and other activities.

  • Over $594 million worth of PYTH is staked

    According to Dune data,  there are currently 1,201,167,362 PYTH tokens in the staked state, with a total staked value exceeding $594 million. The number of PYTH stakers has reached 151,211.

  • US Department of Justice: Tornado Cash indictment has nothing to do with "free speech"

    On May 11th, the US Department of Justice explained why the motion to dismiss the criminal case against Tornado Cash founder Roman Storm was invalid. The Department of Justice reiterated that their indictment was not related to whether the Tornado Cash computer code had freedom of speech or was protected by the First Amendment of the Constitution. The defendant was not charged for publishing computer code, but for using it to facilitate profitable illegal activities.

  • USDC circulation decreased by $100 million in the past week, with a total circulation of $33 billion

    According to official data,as of May 9th, Circle has issued approximately $2 billion USDC and redeemed approximately $2 billion USDC in the past 7 days, with a decrease in circulation of approximately $100 million. The total circulation of USDC is $33 billion, with a reserve of $33.1 billion, including approximately $3.3 billion in cash and Circle Reserve Fund holding approximately $29.8 billion.

  • SEC rejects Coinbase's request for appeals court ruling on cryptocurrency rules

    The US SEC has rejected Coinbase's request to appeal to the court to review whether traditional securities rules are applicable to cryptocurrencies. In its application, Coinbase stated that it hoped the appeals court would consider whether the Howey test, which has long been used for securities evaluation, should be applied to digital assets. However, the SEC pointed out that Coinbase has not successfully demonstrated the need for such an evaluation. The SEC stated that Coinbase is attempting to create a "new legal test," but this attempt was rejected by the court. The court found that Coinbase's arguments lacked consistency and did not successfully demonstrate the existence of decisive issues. Currently, the judge responsible for hearing the SEC's case against Coinbase will make a ruling on Coinbase's intermediate appeal motion.

  • Blockchain Asset Management announces launch of a dedicated blockchain fund for accredited investors

    Blockchain Asset Management, a cryptocurrency fund with a scale of $100 million, announced the launch of an exclusive blockchain fund for qualified investors. The specific amount of funds raised by the fund has not been disclosed yet, but it is said to have reached "eight figures", which means it is in the tens of millions of dollars. In addition, the investment threshold for the new fund is $100,000, and all investors are required to meet the approved standards (annual income exceeding $200,000, net assets exceeding $1 million).

  • Chainlink ·

    Chainlink Digital Asset Insights: Q1 2024

    The Web3 ecosystem has recently seen a dramatic rise in activity through total value locked in decentralized finance (“DeFi”), volumes on decentralized exchanges (“DEXs”), and stablecoin activity (see the Appendix). Looking at the first quarter of the year, we examine prominent events in the space, including:

    Chainlink Digital Asset Insights: Q1 2024

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company