Hedgey Finance, a platform in the token infrastructure sector, recently fell victim to two simultaneous exploits resulting in a staggering $44.7 million worth of lost funds.
The first exploit targeted Hedgey on the Arbitrum network, where over $42.8 million worth of Arbitrum (ARB) tokens were compromised, as reported by on-chain security firm Cyvers in an April 19 X post. The attacker proceeded to deposit a portion of the stolen funds into the Bybit cryptocurrency exchange.
More exploit at 👇 pic.twitter.com/WguQ6pWhs9
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) April 19, 2024
In a separate incident, Hedgey protocol was hacked for $1.9 million worth of cryptocurrency on the Ethereum network, according to an alert from Cyvers.
🚨UPDATE🚨@hedgeyfinance has experienced security breach with their Hedgey Token Claim Contract!
Total loss is around $1.9M. Attacker is funded by @ChangeNOW_io.
All stolen funds are swapped to $DAI and transferred to an EOA at https://t.co/MT78LFSQ7G
We urge all users to… https://t.co/hwuBjTiebp
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) April 19, 2024
Confirming the exploits, Hedgey protocol in an April 19 X post stated that it is actively collaborating with auditors to investigate the underlying vulnerability contributing to the ongoing attack.
Security Alert: We're investigating an attack on the Hedgey Token Claim Contract. If you have created active claims, please cancel them using the "End Token Claim" button at https://t.co/Tt7Aq0n2dh.
We are are actively working with our auditors and team to understand the attack…
— Hedgey 🦔 (@hedgeyfinance) April 19, 2024
Following Hedgey’s confirmation, fraudulent accounts impersonating the protocol began disseminating potentially malicious links within the thread. These accounts urged users to request refunds or revoke smart contract approvals, redirecting them to suspicious links unrelated to Hedgey protocol.
The timing of the exploit is noteworthy, occurring just hours before the highly anticipated Bitcoin halving event, which halves block issuance rewards.
The Hack3d report by CertiK, an on-chain security firm, revealed that the first quarter of 2024 witnessed 223 hacks and exploits amounting to over $502 million in stolen digital assets. This marks a 54% increase compared to the same period in 2023, during which $326 million worth of funds were stolen. Notably, January saw the highest amount of stolen crypto at over $193 million across 78 on-chain incidents.
Compromised private keys remained the predominant attack vector, resulting in over $239 million lost across 26 incidents. However, these exploits accounted for only 11.7% of all security incidents, according to CertiK’s findings.
On a positive note, approximately $77.9 million worth of stolen funds were successfully recovered in the first quarter, with a significant portion attributed to the Munchables security incident.