Hedera Network Confirms the Rumored Exploit, Restricts Mainnet Access

Hedera Network, a decentralized proof-of-stake ledger, has confirmed that the network has suffered an exploit after reporting “network irregularities” on Thursday.

On Thursday, March 9^th, a number of dapps using Hedera Token Service (HTS) reported that they had paused their services on the Hedera network following malicious smart contract activities.

Due to some Hedera network irregularities, Hashport has paused their bridge. This means, that the bridged HTS tokens are safe inside the pools and cannot be withdrawn at the moment. For other pairs, we encourage everyone to withdraw their liquidity immediately.

— HeliSwap (@HeliSwap_DEX) March 9, 2023

The HBAR Foundation, the organization behind the Hedera ecosystem, later confirmed that there was indeed some unusual activity on the network that impacted various DeFi dapps. The core team at Hedera then announced that they had closed the network’s mainnet proxies, making the network effectively inaccessible, to prevent any damages. The team wrote:

In an abundance of caution & safety for users, @Hedera is turning off network proxies on mainnet, making it inaccessible.@Hedera core is working through the smart contract irregularities & will re-enable proxies once resolved.

Visit https://t.co/heOGAb4jq3 for the latest.

— Hedera (@hedera) March 9, 2023

“In an abundance of caution & safety for users, @Hedera is turning off network proxies on mainnet, making it inaccessible.

@Hedera core is working through the smart contract irregularities & will re-enable proxies once resolved.”

Hack Speculations Follow

The report of irregular activity fueled speculation across social media platforms that hackers had attacked the Hedera platform, rather than a technical glitch. DeFi research firm Ignas tweeted that Hedera was under attack and the exploit was targeting the decompiling process in smart contracts. Initially, Hedera neither confirmed nor denied those rumors.

1/ There's an ongoing exploit hitting Hedera.

All Hedera dApps using Hedera Token Service (HTS), like LP tokens or wrapped tokens are affected.

The exploit is targeting the decompiling process in smart contracts.

Advice: "Get your funds out now." pic.twitter.com/H5jOhLg9od

— Ignas | DeFi Research (@DefiIgnas) March 9, 2023

The price of native HBAR coin and DeFi value locked on Hedera fell sharply. According to DeFiLlama, the TVL on the network has dropped more than 16% in the last 24 hours.

Hedera Confirms the Exploit

On Friday, March 10^th, the core team at Hedera confirmed the exploit. Hedera said:

“Today, attackers exploited the Smart Contract Service code of the Hedera mainnet to transfer Hedera Token Service tokens held by victims’ accounts to their own account.”

Today, attackers exploited the Smart Contract Service code of the Hedera mainnet to transfer Hedera Token Service tokens held by victims’ accounts to their own account. (1/6)

— Hedera (@hedera) March 10, 2023

According to the confirmation announcement, the exploit mostly affected the DeFi apps on the network that include the DEX platform Pangolin Hedera, SaucerSwap Labs, and HeliSwap. The attacker targeted the accounts used as liquidity pools “on multiple DEXs that use Uniswap v2-derived contract code ported over to use the Hedera Token Service.”

The perpetrator tried to move the funds through a cross-chain bridge Hashport. However, the bridge operator “detected the activity and took swift action to disable it.”

While the mainnet is online and reaching consensus, the proxies are still closed, which means that users are still unable to access the mainnet. The team has identified the root cause and is working on a solution. Mainnet proxies will be turned on after the deployment of an updated code on the mainnet.

The extent of loss is still to be determined. A timeline compiled by Pangolin Hedera suggests that the hacker was unable to move funds out of the Hedera ecosystem as the Hashport has blocked the assets.