Hedera Hashgraph, the team behind the distributed ledger technology, has confirmed a smart contract exploit on the Hedera Mainnet that resulted in the theft of several liquidity pool tokens.

The attacker targeted liquidity pool tokens on decentralized exchanges (DEXs) that derived their code from Uniswap v2 on Ethereum, which was ported over for use on the Hedera Token Service.

The suspicious activity was detected when the attacker attempted to move the stolen tokens across the Hashport bridge, which consisted of liquidity pool tokens on SaucerSwap, Pangolin and HeliSwap. Operators acted promptly to temporarily pause the bridge.

Hedera Hashgraph did not confirm the amount of tokens that were stolen. However, it did mention that it had identified the “root cause” of the exploit and is working on a solution.

Once the solution is ready, Hedera Council members will sign transactions to approve the deployment of updated code on mainnet to remove this vulnerability, at which point the mainnet proxies will be turned back on, allowing normal activity to resume.

On Feb. 3, Hedera upgraded the network to convert Ethereum Virtual Machine (EVM)-compatible smart contract code onto the Hedera Token Service (HTS).

Part of this process involves the decompiling of Ethereum contract bytecode to the HTS, which is where Hedera-based DEX SaucerSwap believes the attack vector came from. However, Hedera Hashgraph did not confirm this in its most recent post.

In response to the potential exploit, Hedera Hashgraph managed to shut down network access by turning off IP proxies on March 9.

As a precaution, tokenholders are advised to check the balances on their account ID and Ethereum Virtual Machine (EVM) address on hashscan.io for their own comfort.

Tags