Arbitrum-based stablecoin was compromised by a well-orchestrated smart contract scam leading to users losing about $2 million from their accounts. CertiK reported the occurrence while responding to Hope Finance’s tweet alerting the customers of the scam.
Users lose funds to yet another exploit
Potential users of the newly launched project Hope Token in January have been swiped clean of more than $2 million through a smart contract racket. CertiK, a renowned web3 security entity, highlighted the event in response to a tweet by Hope Finance warning its users of the deception.
#CommunityAlert 🚨@hope_fin have announced the community has been scammed for ~$2m making this the largest #exitscam on Arbitrum in 2023.$1.86m was transferred to @TornadoCash.Hope_fin have posted steps for user's to withdraw their staked LPhttps://t.co/hJbFXiKujt
— CertiK Alert (@CertiKAlert) February 21, 2023
Although the full details of the project have not been fully unveiled, the Twitter account of the platform came into place in January 2023, giving details of the upcoming algorithmic stablecoin named Hope Token (HOPE). The token is said to be able to fine-tune its quantity in relation to Ether’s price.
CertiK explained that the scammer deployed a fake router during the preparation to exit by hope finance. The scammer then updated the SwapHelper to use the dubious router to access the wallet’s interesting transfer and got the approval of all the 3 holders of the Hope tokens.
The scammer changed from swapping tokens to sending them as USDC to another address he controlled.
#CertiKSkynetAlert 🚨1\ In preparation for the @hope_fin #exit scam, a fake router was deployed in txn 0xf188. The SwapHelper was then updated to use this fake router in txn 0xc9ee. This txn was approved by all 3 owners of Hope’s multisig 0x8ebd. pic.twitter.com/Qpxa2f6d6b
— CertiK Alert (@CertiKAlert) February 21, 2023
The Twitter posts by Hope Finance claim that the hacker was of Nigerian origin and had already converted the more than $1.8 million stolen funds into Tornado Cash.
The transfer occurred moments before its launch on Feb. 20. The scammer only tampered with the smart contract details to get full access to the finances in the genesis protocol of Hope Finance.
FUCKING SCAMMER!!!! HE SCAMMED COMMUNITY FOR 2 MLN DOLLARS pic.twitter.com/F3AWKpqZfD
— Hope Finance (💙,🧡) (@Hope_fin) February 20, 2023
Audit of the code by Cognitos
According to a tweet posted on Feb. 13, Hope Finance indicated that a worker from Cognitos audited the smart contract. The representative had flagged two main weaknesses in the smart contract: reentrancy attacks and improper modifiers.
However, Cognitos revealed a successful audit of the smart contract code even if the two vulnerabilities were witnessed.
To cushion more users from fraud, Hope Finance announced a different way users can use to withdraw their funds from the system to cushion more users from fraud. In addition, the availability of layer-2 protocol is a remedy to handle such cases in the Ethereum platform.
Steps to withdraw your staked LP from the this fucking scam protocol1. Go on this linkhttps://t.co/HjuvQyxbUX2. connect your wallet3. click on emergency withdrawEnter 0000000000000000000000000000000000000000000000000000000000000002 pic.twitter.com/5RxtgKXgoo
— Hope Finance (💙,🧡) (@Hope_fin) February 21, 2023
The attack comes after another smart contract manipulation happened in Ethereum Denver, leading to a loss of more than $300,000.
