Arbitrum-based stablecoin was compromised by a well-orchestrated smart contract scam leading to users losing about $2 million from their accounts. CertiK reported the occurrence while responding to Hope Finance’s tweet alerting the customers of the scam.
Users lose funds to yet another exploit
Potential users of the newly launched project Hope Token in January have been swiped clean of more than $2 million through a smart contract racket. CertiK, a renowned web3 security entity, highlighted the event in response to a tweet by Hope Finance warning its users of the deception.
Although the full details of the project have not been fully unveiled, the Twitter account of the platform came into place in January 2023, giving details of the upcoming algorithmic stablecoin named Hope Token (HOPE). The token is said to be able to fine-tune its quantity in relation to Ether’s price.
CertiK explained that the scammer deployed a fake router during the preparation to exit by hope finance. The scammer then updated the SwapHelper to use the dubious router to access the wallet’s interesting transfer and got the approval of all the 3 holders of the Hope tokens.
The scammer changed from swapping tokens to sending them as USDC to another address he controlled.
The Twitter posts by Hope Finance claim that the hacker was of Nigerian origin and had already converted the more than $1.8 million stolen funds into Tornado Cash.
The transfer occurred moments before its launch on Feb. 20. The scammer only tampered with the smart contract details to get full access to the finances in the genesis protocol of Hope Finance.
Audit of the code by Cognitos
According to a tweet posted on Feb. 13, Hope Finance indicated that a worker from Cognitos audited the smart contract. The representative had flagged two main weaknesses in the smart contract: reentrancy attacks and improper modifiers.
However, Cognitos revealed a successful audit of the smart contract code even if the two vulnerabilities were witnessed.
To cushion more users from fraud, Hope Finance announced a different way users can use to withdraw their funds from the system to cushion more users from fraud. In addition, the availability of layer-2 protocol is a remedy to handle such cases in the Ethereum platform.
The attack comes after another smart contract manipulation happened in Ethereum Denver, leading to a loss of more than $300,000.
Source: https://crypto.news/scammer-steals-2m-user-funds-from-hope-finance/