$61M Drained: Hedgey, Prisma, and Sushi Samurai Exploited by Broken Validation and Transfer Logic
Hedgey Finance lost $44.7M after a missing validation let attackers spoof campaign configs. Prisma Finance bled $11.6M from unchecked migration logic. Super Sushi Samurai’s transfer logic doubled balances on self-transfers, leaking $4.6M. ParaSwap’s Augustus V6 let $24K slip through a swap callback. Four chains, four vectors, same lesson: validate every input.
In Brief
Hedgey Finance lost $44.7M due to lack of input validation.
Prisma Finance was targeted in a $11.6M attack.
Super Sushi Samurai was exploited for $4.6M.
Paraswap’s Augustus V6 contract was hacked for $24K.
Hacks Analysis
Hedgey Finance | Amount Lost: $44.7M
On April 19th, the Hedgey Finance exploit on the Ethereum Mainnet resulted in a $44.7M loss. The root cause of the hack was the absence of proper input validation in the createLockedCampaign() function in Hedgey Finance’s ClaimCampaigns contract. The flaw enabled the attacker to execute arbitrary claimLockup parameters, invoking the createLockedCampaign() function and transferring approved tokens to their address. The Hedgey Finance team acknowledged the incident and sent an on-chain message to the exploiter.
On March 28th, the Prisma Finance exploit on the Ethereum Mainnet resulted in a $11.6M loss. The root cause of the hack was the absence of proper input validation in the MigrateTroveZap contract, specifically in the migrateTrove() function. This function, intended for automating trove manager migrations, miscalculated collateral and debt migration and triggered the debtToken::flashloan() function without proper input checks. This allowed the attacker to manipulate data and execute unauthorized trove migrations, exploiting delegated approvals to move assets to arbitrary addresses.
On March 21st, the Super Sushi Samurai exploit on the Blast Network resulted in a $4.6M loss. The root cause of the hack was a transfer logic flaw that allowed for an infinite mint scenario, where anyone could transfer tokens to themselves due to an oversight in the _update() function’s implementation. This vulnerability resulted from the _balances[from] and _balances[to] values pointing to the same storage location when the from and to addresses were identical in a transfer operation. Consequently, each transfer call effectively doubled the token holdings of the caller.
Press enter or click to view image in full size
Exploit Contract (on Blast Network): 0xdfdcdbc789b56f99b0d0692d14dbc61906d9deed
On March 20th, the ParaSwap exploit on the Ethereum Mainnet resulted in a $24K loss. The root cause of the hack was that the uniswapV3SwapCallback() function in the Uniswap V3 Pool of the AugustusV6 contracts enabled the attacker to redirect funds from authorized addresses to their controlled address. The ParaSwap team acknowledged the incident, paused all transactions, and sent on-chain messages to the exploiter.
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
