- On March 7, an unknown person exploited a vulnerability in the Tender.fi oracle.
- Thanks to a bug, he withdrew the cryptocurrency for $1.59 million
- The hacker agreed to return the funds for a fee of 6% of this amount
Yesterday, March 7th, the Tender.fi landing platform was suspended due to anomalous activity. The administration later acknowledged the hack. But, most surprisingly, the hacker agreed to return the stolen goods for a small fee.
A hacker exploited a price oracle vulnerability. With the help of the bug, he borrowed $1.59 million using one GMX token at a price of $70 as collateral.
PeckShield and BlockSec analysts said the exploit was due to a misconfiguration of the oracle. Whether the actions of a burglar constitute a crime is a complex question. But, apparently, he decided not to risk it.
Using a message in the chain, the hacker contacted the Trade.fi administration. Parties Deal for a refund of compensation. The burglar was paid $97 thousand, that is, about 6% of the total amount.
An hour later, Trade.fi confirmed that the hacker had transferred the entire amount. Whether he was really a “white hat” (white hat) is unknown. It is possible that this whole action is just an attempt to draw the attention of the administration to the problem.
A similar case happened with the Mano Markets platform. In that situation, the hacker also exploited a vulnerability in the price oracle. A few days later, he got in touch and stated that he had not violated the law.
Remember, he is currently under arrest. Not only Mango Labs, but also the SEC, the CFTC and the US Department of Justice filed a lawsuit against him.