Sentiment placed cheese of $95K to catch the hacker rat and received $729K out of $1M. The liquidity pool was hacked on April 4 and was reported on their Twitter page on April 5. Earlier estimates were that $500,000 were stolen, but later investigations suggested the amount could be above the $1 million mark.
The Rat Snap Worked, Hacker Returned the Amount
A reward was announced in a message on the Arbitrum blockchain, aimed at the hacker to return the amount before the deadline and for anybody who would help locate the culprit after that. The message was:
“To the hacker: we will offer you [$95,000] and will not pursue this if you return the money by 8 am utc April 6… Do the right thing.”
However, Sentiment never announced the offer publicly; they just retweeted the screenshot of another user on their page. Making it seem like an original offer, but the transaction’s anonymity does not clarify its legitimacy.
Taylor Manohan, the founder of MyCrypto and Metamask, argued that the attacker returned 414 ETH worth $792,000 at around 10:30 pm UTC. This means the hacker exceeded expectations and returned most of the stolen $1 million. However, there was no confirmation of the receiving from Sentiment.
This incident can be compared to Euler Finance, where the project negotiated with the hacker to return the funds.
The $1 Million Sentiment Hack
On April 4, the lending pool, Sentiment, was hacked for around $1 million, which was initially believed to be around $500,000. After their first announcement, they paused their main contract and allowed only withdrawal. Per their initial statement, they handled the issue and allowed users to replay debts and unwind positions.
Sentiment said that recovering the fund is their primary goal, and they are working closely with law enforcement to locate the hacker; also, these efforts would not be required if the hacker cooperates.
After investigation, it was revealed that the hacker used the Balancer vault’s ‘joinPool’ function and raised the overall supply of LP coins by 10,000 wETH, 606 BTC and 18 million USDC. Exploiter withdrew the funds using exitPool and sequentially sent 606.8 wBTC, 1,000 ETH and 17.9 million USDC.
The liquidity pool uses a fallback sentiment which reduces the demand, but somehow the pool balances of wBTC, wETH and USDC remained the same and hence the prices were tilted; this gap allowed the attacker to borrow multiple assets at a discounted price.
Such attacks are common in the crypto industry; bad actors try to find loopholes and exploit them for ill gains. However, the industry learns from every hack to increase its security protocols and timely assess the system for loopholes and vulnerabilities. This incident was unique as negotiations solved it.
Source: https://www.thecoinrepublic.com/2023/04/08/sentiment-offers-95k-to-hackers-to-return-792k-in-barter/