In the latest development in the world of Decentralized Finance (DeFi), Tender.fi, a DeFi lending protocol, fell victim to a white hat attack. The alleged ethical hacker behind the attack had managed to drain a whopping $1.6 million from the platform, forcing the service to halt borrowing while it attempts to recover its assets.
The attack, which took place on Mar-07-2023 at 08:21:38 AM +UTC, has caused significant concern among the DeFi community. According to Numen Cyber’s on-chain monitoring, the attacker siphoned 198 ETH, 541700 USDC, 16 WBTC, 8798 UNI, 50011 DAI, 36700 USDT, 24975 FRAX, and 16,203 LINK, causing the native token of the Tender.fi (TND) project to fall by over 30% before recovering slightly after the recovery of funds.
Timeline of Events
Tender.fi confirmed an incident on March 7th that led to the depletion of funds after various community users raised concerns. Tender.fi took to Twitter to acknowledge the issue and announced that they were investigating an unusually high amount of borrows, which led to the depletion of funds. As a result, the platform temporarily halted all borrowing activities until the investigation was complete.
The native token of Tender.fi (TND) plummeted over 30% in response to news of a suspected black hat hacking incident. The market reacted swiftly, with investors reacting to the news of the platform’s loss of funds.
Vulnerability Details
The attack on Tender.fi has exposed a critical flaw in the platform’s smart contract code, specifically its price oracle, which allowed the attacker to exploit the system and make off with $1.6 million worth of cryptocurrencies. The attacker was able to obtain tGMX tokens by purchasing them with initial funds and then proceeded to borrow using the tETH.borrow method. However, the borrowing process had an error in the price calculation, specifically in the GMXPriceOracle.getUnderlyingPrice method.
The initial price was multiplied by both 1e20 and 1e10, resulting in a significant increase in the price of tGMX tokens. This allowed the attacker to borrow large sums of money, which eventually led to the loss of millions of dollars in funds for Tender.fi.
Attacker’s address:
https://arbiscan.io/address/0x896DF3759205C141c97640B2B7345FA479FEB1aB
Transaction:
https://arbiscan.io/address/0x896DF3759205C141c97640B2B7345FA479FEB1aB
Post-Mortem
Tenderfi has rewarded a bounty of 62 ETH, which is approximately 6% of the exploited funds, to the White Hat. This amount is consistent with the industry standard for rewarding white hats who find and report security vulnerabilities. The White Hat who discovered the exploit promptly notified the Tenderfi team, who then worked quickly to repay the exploited funds.
Following the transaction’s completion, Tender.fi took to Twitter to confirm that their funds were officially secure. The platform also announced that it would conduct a post-mortem analysis of the attack to identify areas of improvement and prevent similar incidents in the future. Their native token, TND has since bounced back slightly since the recovery of funds.
Conclusion
The swift and cooperative response from both the White Hat and the Tenderfi team is highly commendable. This type of collaboration between security researchers and blockchain companies is critical to creating a safer and more secure ecosystem.
