Latest DeFi bridge exploit results in $4.4M losses for Meter

Published at: Feb. 8, 2022

The Meter Passport token bridge platform has incurred $4.4 million in losses due to a smart contract hack which also caused Hundred Finance to lose $3.3 million through under-collateralized loans.

Meter.io’s Meter Passport (MTRG) is a token bridge that is compatible with Ethereum and its sidechains. This attack affected the Moonriver side of the bridge.

Moonriver is a smart contract platform based on Polkadot’s Kusama network. Hundred Finance is a crypto lending platform based on the code for Compound Finance.

Starting at 2pm UTC on Feb. 5 and over the course of several transactions, about $4.4 million in Binance Coin (BNB) and wETH were minted through a “wrong trust assumption” in the code, according to a Feb. 6 statement from the Meter team. In this case, an arbitrary amount of ETH was deposited to Meter which the hacker used to mint tokens using the vulnerability.

1. Around 6am Pacific time we identified someone was able to leverage a vulnerability of the bridge to mint a large amount of BNB and WETH tokens and depleted the bridge reserve for BNB on WETH.

— ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022

The attack caused a cascade effect across the Kusama-based Moonriver ecosystem. After draining Meter of its BNB and wETH reserves, the attacker sold the BNB on SushiSwap, a popular decentralized exchange. This led to a 77% crash in the price of BNB on Moonriver at the time.

A number of opportunists then took advantage of the price dip by buying cheap BNB. They used the tokens as collateral on Hundred Finance in order to take out FRAX and MIM stablecoin loans. Due to the discrepancy in BNB price, however, their loans were worth more than the collateral they had provided, causing a supply crisis.

2/4. Accounts were able to purchase BNB.bsc at a reduced price and use these tokens as collateral at the global Chainlink price to borrow uncompromised assets on our platform. Of these, MIM and FRAX are currently impacted.

— Hundred Finance (@HundredFinance) February 6, 2022

Amazingly, two of the loans were repaid, leaving an outstanding $3.3 million in losses to the Hundred protocol. The Hundred team has attempted to reach out to the parties involved to ask that they return the BNB tokens used as collateral to Meter.

The Meter team has committed to reimbursing its community and Hundred Finance for losses incurred due to the hack. The team stated on Feb. 6 that it had set aside $4.4 million in MTRG tokens to cover initial losses.

“Vfat”, the pseudonymous founder of Hundred Finance, said in a statement to Rekt News on Feb. 6 that:

“Meter have of course accepted responsibility for this hack and are intending to use their native token for reimbursement to the extent that they can, currently we are in the gathering addresses and amounts stage.”

Related: Qubit Finance suffers $80 million loss following hack

The blockchain security firm PeckShield estimated that in total, 1,391 ETH and 2.74 wBTC were taken by the attacker and have since been sent to Ethereum where the tokens have gone through Tornado Cash, an ETH transactions privacy tool.

The Hundred Finance team has not yet responded to a request for comment.

The initial details of the exploit of Meter’s code resemble the Wormhole hack on Feb. 3 in which 120,000 wETH ($321 million) were maliciously minted and extracted from Wormhole’s platform. In that incident, the hacker exploited a smart contract bug to mint wETH at will and sent the tokens to Ethereum, where they were washed via Tornado Cash.

Tags
Blockchain
Defi
Tokens
Hackers
Related Posts
Zabu token price flatlines after $3.2M attack on Avalanche blockchain
Zabu Finance, a DeFi application on the Avalanche blockchain, has reportedly been exploited for crypto tokens worth $3.2 million. The removal of a large number of tokens eventually reduced the value of Zabu tokens to zero. Zabu Finance announced the exploit by asking for help from Avalanche and popular Avalanche-hosted decentralized exchanges such as Pangolin and Trader Joe: “Zabu Team Wallet has not sold a single Zabu. We're under an exploit, possibly from Spore Pool. We're investigating the exploit. Need help Pangolin, Trader Joe, Avalanche.” Based on further investigation, Zabu found the attacker stole the assets from a pool of …
Technology / Sept. 13, 2021
Wormhole token bridge loses $321M in largest hack so far in 2022
The Wormhole token bridge experienced a security exploit today, resulting in the loss of 120,000 wETH tokens ($321 million) from the platform. Wormhole is a token bridge that allows users to send and receive crypto between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without the use of a centralized exchange (CEX). This is the largest crypto hack of 2022 so far and the second largest DeFi hack to date. The Wormhole team has offered a $10M bug bounty for the return of the funds. The hack took place on the Solana side of the bridge and there are fears …
Blockchain / Feb. 3, 2022
DeFi attacks are on the rise — Will the industry be able to stem the tide?
The decentralized finance (DeFi) industry has lost over a billion dollars to hackers in the past couple of months, and the situation seems to be spiraling out of control. According to the latest statistics, approximately $1.6 billion in cryptocurrencies was stolen from DeFi platforms in the first quarter of 2022. Furthermore, over 90% of all pilfered crypto is from hacked DeFi protocols. These figures highlight a dire situation that is likely to persist over the long term if ignored. Why hackers prefer DeFi platforms In recent years, hackers have ramped up operations targeting DeFi systems. One primary reason as to …
Adoption / May 14, 2022
How to store Bitcoin on MetaMask?
MetaMask is a well-known wallet for Ethereum-enabled distributed applications (dApps). But can MetaMask hold Bitcoin (BTC), which remains the largest cryptocurrency? For many crypto investors, Bitcoin is an important part of their portfolio. Besides being an investment asset, Bitcoin can also be used as a payment method. Thanks to wallets such as MetaMask, paying via blockchain technology has become much easier. This Ethereum crypto wallet enables millions of investors to participate in everything the crypto market has to offer. Even though Ether (ETH) is a very popular means of payment, most people buy Bitcoin. Related: How does Bitcoin work and …
Adoption / April 26, 2022
Terra 2.0: A crypto project built on the ruins of $40 billion in investors' money
Terra remained the focus of the majority of headlines throughout May for its spiral collapse leading to a loss of over $40 billion in investors’ money. Despite some early resistance from the community and heavy backlash from the likes of Binance CEO Changpeng “CZ” Zhao, Terra co-founder Do Kwon managed to relaunch the collapsed network with a new chain called Terra 2.0 (Phoenix-1). The amended proposal for the relaunch of the network by increasing the genesis liquidity, which introduces a new liquidity profile for pre-attack Luna Classic (LUNC) holders and decreases the distribution to post-attack TerraUSD Classic (USTC) holders, was …
Decentralization / June 3, 2022