How Someone Borrowed $1.6M With $70 Worth of Collateral: The Tender.Fi Exploit

The hacker who stole $1.59 million worth of crypto assets from Arbitrum-based decentralized finance (DeFi) lending platform Tender.fi has returned nearly all the funds, keeping roughly $97,000 as a bounty reward.

Tender.fi was exploited on the morning of March 7, with the project’s official Twitter handle confirming the incident in a tweet a few minutes later.

Tender.fi Exploited for $1.59 Million

According to the tweet, Tender.fi disclosed that it had noticed and was looking into an “unusual amount” of loans. The platform also paused its lending service during the investigation.

On-chain data showed that the attacker exploited an oracle glitch. The bug allowed the hacker to borrow up to $1.59 million in ether (ETH) tokens with a deposit of one GMX token worth $71 as collateral.

After the exploit, the hacker left an on-chain message for Tender.fi, saying, “It looks like your oracle was misconfigured. contact me to sort this out.” This shows that the exploiter is a white hat hacker.

A few hours later, Tender.fi disclosed that it had contacted the attacker to negotiate and discuss the terms of a bounty agreement.

“The whitehat has made contact over debank and we are currently in discussions on how to remedy this situation. We will update you with more information when we have it,” the protocol said.

Hacker Keeps $97k as Bounty

Seven hours later, the protocol revealed that it had agreed with the hacker and the funds would be returned.

About an hour later, the hacker returned $1.49 million and kept $96,500 as a bounty. Both Tender.fi and blockchain security firm PeckShield confirmed the transaction.

Translation: The White Hat will repay all loans minus 62.158670296 ETH, which will be kept as a Bounty for helping secure the protocol. The https://t.co/H4ZMPLH9pz Team will repay the Bounty s value to the protocol, so that there will be no bad debt and users will remain… https://t.co/5bbmKu7zEe

— Tender.fi (@tender_fi) March 7, 2023