Sentiment DeFi platform losses $1m to hacker on Arbitrum

Sentiment, a decentralized finance (DeFi) platform offering lending and borrowing services on the Arbitrum layer-2 network, was hit by a malicious exploit on April 4, resulting in a nearly $1 million loss.

The attacker used a reentrancy bug in Balancer, a liquidity protocol that Sentiment integrates with, to execute fraudulent transactions and drain funds from the platform.

According to Sentiment’s official Twitter account, the team noticed abnormal borrowing activity around 6:00 PM UTC on April 4 and immediately paused the main contract to prevent further loss.

The team also enlisted the help of third-party security experts from PeckShield, who confirmed the nature and extent of the attack and provided a fix for the vulnerability.

1/4
A status update on the current situation: At approximately 06:00:00 PM +UTC The Sentiment team became aware of abnormal borrowing activity which has now been declared as a malicious exploit.
— Sentiment (@sentimentxyz) April 5, 2023

Sentiment said that users can now repay their debts and withdraw their funds and that it is working with law enforcement and other parties to track down the hacker and recover the stolen crypto assets.

The platform’s security consultant, PeckShield, published a detailed analysis of the exploit on its blog, explaining how the attacker exploited a view reentrancy bug in Balancer to manipulate pool balances and overcollateralize their loans on Sentiment.

Per Peckshield, the attacker then used flash loans to borrow and liquidate large amounts of tokens from Sentiment, making off with about $1 million worth of crypto.

DeFi exploits on the rise

The attack on Sentiment is the latest in a string of thefts targeting DeFi platforms. On March 13, Euler Finance was on the wrong end of a flash loan attack that led to the loss of $197 million of digital assets.

Peckshield’s analysis of the attack surmised that the exploiter took advantage of a flaw in Euler Finance’s donation and liquidation logic to steal the money.

However, the hacker returned the stolen funds after weeks of high drama that included a million-dollar bounty offer from Euler, threats of legal action, and a remorseful confession from the perpetrator.

These attacks have amplified the security risks that DeFi platforms face, mainly when they rely on external protocols that may have hidden flaws or vulnerabilities.

The crypto industry lost more than $3 billion to hackers and scammers in 2022, and this year has seen a resurgence of such heists and thefts. In the last month alone, as reported by crypto.news, hackers stole over $21 million from DeFi protocols.

Source: https://crypto.news/sentiment-defi-platform-losses-1m-to-hacker-on-arbitrum/