Hope Finance exploit results in $2M stolen from users' funds

Published at: Feb. 21, 2023

Prospective users of an Arbitrum-based decentralized finance (DeFi) project have been left out of pocket following a $2 million exploit.

Web3 security firm CertiK flagged the incident on Feb. 21, following an announcement from the Hope Finance Twitter account notifying users that they had been scammed.

#CommunityAlert @hope_fin have announced the community has been scammed for ~$2m making this the largest #exitscam on Arbitrum in 2023.$1.86m was transferred to @TornadoCash.Hope_fin have posted steps for user's to withdraw their staked LPhttps://t.co/hJbFXiKujt

— CertiK Alert (@CertiKAlert) February 21, 2023

Details of the project are difficult to come by. The platform’s Twitter account was launched in January 2023 and outlined plans for an algorithmic stablecoin called $HOPE which dynamically adjusts its supply relative to the price of ETH.

Posts on the account allege that a Nigerian national had executed the scam and had transferred over $1.86 million to Tornado Cash shortly after the platform went live on Feb. 20. A member of the CertiK team told Cointelegraph that the scammer had changed details of the smart contract which led to funds being drained from Hope Finance genesis protocol:

“It appears that the scammer changed the TradingHelper contract which meant that when 0x4481 calls OpenTrade on the GenesisRewardPool the funds are transferred to the scammer.”

According to a Tweet dated Feb. 13, the Hope Finance smart contract was audited by a Cognitos Audit official. Cointelegraph reviewed the audit summary, which flagged two major contract function vulnerabilities. 

This included an incorrect modifier and the possibility for reentrancy attacks. Despite flagging these vulnerabilities, Cognitos found that the smart contract code had passed the audit successfully.

Following the scam, Hope Finance shared information with users to withdraw staked liquidity from the protocol through an emergency withdrawal function.

Steps to withdraw your staked LP from the this fucking scam protocol1. Go on this linkhttps://t.co/HjuvQyxbUX2. connect your wallet3. click on emergency withdrawEnter 0000000000000000000000000000000000000000000000000000000000000002 pic.twitter.com/5RxtgKXgoo

— Hope Finance (,) (@Hope_fin) February 21, 2023

Arbitrum is an Ethereum layer 2 roll-up network that is aimed at enabling exponential scaling of smart contracts. Alongside Optimism, the two layer-2 protocols continue to handle an increasing amount of transactions within the Ethereum ecosystem.

Tags
Related Posts
Security firms are making it more difficult for scammers to get away with DeFi project hacks
The rise of community-oriented blockchain security companies may be making it more difficult for alleged bad actors to get away without a trace. Early Wednesday, CertiK issued a community alert regarding Flurry Finance, where its smart contracts were allegedly breached by hackers, leading to $293,000 worth of funds being stolen. Shortly after the incident, CertiK published the wallet addresses of the alleged perpetrator, the address of the malicious token contract, and a PancakeSwap pair address allegedly involved in the attack, leading to a warning issued on BscScan. While the firm audited the project's smart contracts, it appears that the exploit …
Adoption / Feb. 23, 2022
Crypto hacks are set to hit all-time highs in 2022, analyst explains
Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis. As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance. “This can't go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph. Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols …
Blockchain / Oct. 19, 2022
No 'respite' for exploits, flash loans or exit scams in 2023: Cybersecurity firm
The new year is a fresh start for malicious actors in the crypto space and 2023 won’t likely see a slowdown in scams, exploits and hacks, according to CertiK. The blockchain security company told Cointelegraph its expectations for the year ahead regarding bad actors in the space, saying: “We saw a large number of incidents last year despite the crypto bear market, so we do not anticipate a respite in exploits, flash loans or exit scams.” Regarding other ill-natured incidents the crypto community might face, the company pointed to the “devastating” exploits that took place on cross-chain bridges in 2022. …
Blockchain / Jan. 3, 2023
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022