The Web3 security company CertiK has flagged an incident on Feb. 21, after Hope Finance made an announcement via their Twitter account tweeted in which users were notified of an exploit.
Not many details about project known
Not many details have been made public about the project yet. At the beginning of this year, the Twitter account of the Hope Finance platform was created and plans were outlined for an algorithmic stablecoin called ‘Hope-Token’, or HOPE for short. The supply of this coin should be dynamically adjusted to the price of Ethereum (ETH).
Reportedly, a Nigerian national was able to pull off a scam that allowed approximately $1.86/€1.75 million to be transferred from the Hope platform to Tornado Cash. This was something after the platform went live yesterday on February 20th.
The scammer was able to exploit a smart contract, which eventually led to funds being drained from the Hope Finance Genesis protocol.
It appears that the scammer has changed the TradingHelper contract, which meant that when 0x4481 calls OpenTrade on the GenesisRewardPool, the funds are transferred to the scammer.
2 major vulnerabilities not fixed
After the smart contract was examined, it became known that there were 2 major vulnerabilities. These vulnerabilities include an incorrect modifier and the possibility of a re-entrancy attack. The vulnerabilities would also have come to light earlier, but nothing would have been done to fix them. That ended up being expensive.
After the scam, Hope Finance shared information with users to withdraw staked liquidity from the protocol through an emergency withdrawal feature. Through Twitter Finally, a step-by-step plan was shared with which used tokens could be recovered.