Hedera Vulnerability - Event Log
Status: 10/03/2023
A recap of the events that took place within the Hedera ecosystem during March 9 & 10 (all timestamps are based on UTC +8).
Suspicious activity
Oracle from the Pangolin team opened a ticket in our Discord server, notifying the HeliSwap team that suspicious activity was taking place within the Hedera ecosystem.
Within a few minutes we were on the case looking into the matter at hand. First confirming internally that there was indeed suspicious activity going on before redirecting all efforts and our focus onto the matter at hand.
LimeChain, HeliSwap’s Tech partner, reacted incredibly fast and opened a line to their own Hedera developer team and Swirlds Labs to get to the bottom of things.
Joining forces - creating the war room
The natural next step was to join forces together with Pangolin & hashport and to enter a war room (direct line between the teams that would allow for fast communication and sharing of information).
Hashport, once aware of the issue, reacted swiftly and first closed the bridge to block the stolen funds from exiting Hedera, while soon after also triggering the Pause Key of their tokens, essentially freezing them in their place. That way they could not be moved and were saved from further exploits. All of this happened within minutes.
While, the war room team was investigating further, it could not be ruled out whether other HTS (non-bridged HTS tokens) are safe from the exploit or not, which is why HeliSwap, Pangolin and hashport decided to post coordinated communications warning the entire ecosystem to withdraw any un-paused HTS tokens.
Unified messaging to inform the community
With the message out from hashport, we could also share a message that would inform the Hedera ecosystem about the smart contract irregularities (it was important that hashport was the first ones to share the message as this would make sure that they had closed down the bridging capabilities).
Our initial investigation gave rise to the idea that HeliSwaps pools should mostly be safe from the exploit as our version of Wrapped HBAR (WHBAR) is not HTS, but ERC-20 based and involved in >90% of the pools, but since funds of the community are at risk, the above advice was necessary as no certainty on the security breach existed.
HeliSwap’s impact
During the course of the past 24 hours, HeliSwap took a hit of 1001 USDC and 1001 DAI, which have been taken out of the USDC[HTS] <> DAI[HTS] pool. Thankfully any further damage could be mitigated via the swift actions of all parties involved.
Providing Clarity - mitigating speculation
Since we saw a lot of speculation from other DeFi projects not involved in the war room, we deemed it necessary to further warn the ecosystem from speculation or unclear information. It came to our attention that while this is a very serious matter, some projects decided to use it as a marketing stunt. Together with Pangolin, we prepared another Thread to warn the ecosystem.
The conclusion from HeliSwap
We have acted as swiftly and determined as possible to protect the HeliSwap and the Hedera community from any potential damages. We are very thankful for Pangolin and hashport for sharing our values of open communication, collaboration and support. Together we were able to keep this vulnerability from causing any substantial harm.
The damages to HeliSwap itself are marginal and will not impact our operations going forward.
While this situation is unprecedented on Hedera, it once again has shown that competition ends the moment things get serious. Our experience working with Pangolin and Hashport was incredibly professional and coordinated.