Reading 3 min Views 3 Published Updated
Cryptocurrency trading platform Hashflow has assured that affected users will be “reinstated” following an exploit that removed at least $600,000 worth of digital assets from the platform.
On June 14, blockchain security firm Peckshield reported an ongoing issue with the Hashflow trading platform.
“There appears to be an approval issue,” the firm noted, posting losses of around $600,000 in Arbitrum (ARB) and Ethereum (ETH).
A couple of hours later, Hashflow alerted users that they were addressing the current contract approval situation noted by Peckshield, adding:
“All users including ~$600,000 affected will be restored.”
The firm, which provides cross-chain swaps as part of its trading services, added that its decentralized exchange was “unaffected in any way and remains fully functional.”
We’re addressing the current situation flagged by @peckshield. Please be assured that:
1. All users comprising the ~$600K affected will be made whole.
2. The Hashflow DEX was in no way impacted and remains fully operational.
We will share a detailed post mortem once complete.
— hashflow (@hashflow) June 14, 2023
Peckshield speculated that the hacker who carried out the exploit might be a white hat hacker, as they provided a recovery feature contract along with a second donation option.
Hashflow updated its status on June 15 providing recovery instructions for those affected by the exploit that affected Ethereum, Arbitrum, Avalanche, BNB Chain and Polygon.
Users were told they must “withdraw approval before recovering funds.”
There are two refund options: the first is for all funds, and the second is to donate 10% to an alleged white hat hacker who exploited the vulnerability but prevented further losses.
DeFi enthusiast “YannickCrypto” detailed the process, noting that the “white hat” had reviewed the contract, but warned that users should revoke token access to depreciated contracts or they would be hacked again.
hey @hashflow, it seems like you got exploited from 0xddb19a1bd22c53dac894ee4e2fbfdb0a06769216. https://t.co/oplaYWY4Bn
There are two withdraw functions, one with 10% and one without bribe!
Find out how you can withdraw your stolen funds in next tweet
— yannickcrypto.eth (@YannickCrypto) June 14, 2023
Hashflow’s native token, HFT, fell 7% in the 12 hours after the incident, falling to $0.338 at the time of writing, according to CoinGecko. The token remains 90% below its November 2022 all-time high of $3.61.
Related: DeFi-type projects hit by the most attacks in 2022: report
This is the second DeFi exploit this week as lending platform Sturdy Finance lost around $800,000 worth of Ethereum on June 12. The vulnerability was related to price manipulation, according to Peckshield, which issued the warning.
Sturdy Finance offered the exploiter a $100,000 reward for the refund.