The attack that targeted the DeFi lending platform, Sentiment Protocol, has been identified as a re-entrancy attack.
Main Focus On Fund Recovery
On April 4, the Sentiment team made a statement on Twitter that the protocol had likely been hacked and that they were looking into the matter.
The team tweeted,
“At approximately 06:00:00 PM +UTC The Sentiment team became aware of abnormal borrowing activity which has now been declared as a malicious exploit.”
According to the Twitter thread, the team had paused the Sentiment main contract and restricted functionality to only process withdrawals in order to mitigate the loss of further funds.
They also employed third-party security auditors to fix the vulnerability immediately, allowing all account holders to repay debts and unwind their positions.
Finally, the team also announced that Sentiment is working closely with law enforcement and close contributors to pinpoint the hacker’s identity. However, the main objective moving forward would be to recover the stolen user funds. Therefore, a message was addressed to the hacker, offering a 10% bounty in exchange for the return of the rest of the funds.
Understanding The Vulnerability
Beyond the above information, the team has not divulged any further details of the hack. However, as is the case with security threats on other DeFi platforms, community members have rushed in to unravel the root of the vulnerability. According to one such community member, Pascal Marco Caversaccio, the blockchain records revealed a re-entrancy hack. This means the vulnerability happened when an external contract repeatedly targeted a compromised Sentiment contract before the latter’s status could be updated.
Another developer in the community suggested that the hacker specifically called a self-destruct function within a Sentiment smart contract. The Twitter account Spreek revealed that around $500,000 to $1 million of funds were stolen from the platform via the Arbitrum blockchain on which the DeFi protocol operates.
DeFi Under Attack
DeFi platforms have been riddled with similar hacks, where attackers have targeted a vulnerability in the code to exploit the platform and siphon off user funds. The Euler Finance drama has been the most noteworthy recently, where the protocol lost around $200 million worth of assets. However, the DeFi protocol has been successful in recovering a part of the stolen funds, worth around $31 million, through negotiations with the exploiter. As a result, the Euler team even declared that it would not be attempting to pursue the identity of the hacker. A similar approach to fund recovery could also prove to be successful for the Sentiment Protocol team.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Source: https://cryptodaily.co.uk/2023/04/sentiment-hacked-for-over-500k-usd