Hacker returns stolen funds to Tender.fi, gets $97K bounty reward

Hacker returns stolen funds to Tender.fi, gets K bounty reward

The bounty, which was offered via an on-chain message was approximately $97,000 or approximately 6% of the exploit amount.

The hacker behind the exploit of the decentralized finance (DeFi) lending platform Tender.fi has returned the stolen funds for a $97,000 bounty reward in Ether (ETH).

The exploit was executed at 10:28 am UTC on Mar. 7, with Tender.fi confirming the incident on Twitter soon after citing “an unusual amount of borrows,” and adding it has paused all borrowing.

Blockchain data showed the exploiter used a price oracle glitch to borrow $1.59 million worth of assets from the protocol by depositing 1 GMX token, valued at around $71.

“It looks like your oracle was misconfigured. contact me to sort this out,” wrote the hacker in an on-chain message.

*Message sent to Tender.fi from the price oracle exploiter. Source: Arbiscan*

Eight hours later, the DeFi protocol announced it had come to an agreement with the “White Hat” exploiter, in which the hacker would repay all loans minus a 62.16 ETH “bounty,” worth around $97,000 at current prices.

Translation: The White Hat will repay all loans minus 62.158670296 ETH, which will be kept as a Bounty for helping secure the protocol. The https://t.co/H4ZMPLH9pz Team will repay the Bounty s value to the protocol, so that there will be no bad debt and users will remain… https://t.co/5bbmKu7zEe
— Tender.fi (@tender_fi) March 7, 2023

Another hour later, Tender.fi confirmed on Twitter that the exploiter had completed the loan repayments.

“Funds are officially SaFu, post mortem on the way,” it wrote.

Last year in August, cross-chain Nomad Bridge appealed to exploiters that participated in a smart contract exploit that extracted $190 million in funds from the bridge in less than three hours.

Mere hours later, approximately $32.6 million worth of funds were already returned, suggesting some of the exploiters may have been white hat hackers attempting to extract funds for a later safe return.

Later in the month, nonfungible token (NFT) firm Metagame even offered a “Whitehat Prize” in the form of an NFT for anyone that proved they returned at least 90% of the funds they stole from the protocol.

1/ Our friends at @metagame created an earned NFT as a thank you to whitehats who returned funds from the Nomad Bridge Hack. Head over https://t.co/TWwuJwnRXj to claim it! pic.twitter.com/V87rkGhBEE
— Nomad (⤭⛓) (@nomadxyz_) August 23, 2022

Blockchain data from the Official Nomad Funds Recovery Address shows that funds continued to be returned to the recovery address since then, with the latest transaction recorded on Feb. 18, 2023, for $7,868 in Covalent Query Token (CQT).

Luna Classic (LUNC) pricing error leads to Mirror Protocol exploit

Coin Telegraph

An error on the pricing oracle software for Terra Classic validators opened the door for an exploiter to drain four synthetic asset pools from the Mirror Protocol.

A mismatch in the reported price of underlying assets on synthetic assets DeFi platform Mirror Protocol has caused an ongoing exploit that has the potential to drain all of its funds.

The exploit was observed on May 29 by governance participant ‘Mirroruser’ on the protocol’s forum. As of the time of writing, the mBTC, mDOT, mETH, and mGLXY synthetic asset pools on the protocol have lost almost all of their assets valued at over $2 million.

Mirror allows trading of synthetic assets, such as stocks and cryptocurrency on the Terra and Terra Classic layer-1 blockchains, BNB Chain (BNB), and Ethereum (ETH).

A pricing error for Luna Classic (LUNC) made the exploit possible. The remaining validators on Terra Classic reported that the price of LUNC ($0.000122) was the same as the newly launched LUNA ($9.32) even though their real market prices vary wildly according to CoinGecko.

Chainlink community ambassador ‘ChainLinkGod’ explained on May 31 that the “Terra Classic validators were running an outdated version of the oracle software.”

.@mirror_protocol has just been exploited again due to Terra Classic validators reporting the price of the new Terra 2.0 $LUNA coin (~$9.80) instead of the original Terra Classic $LUNC coin (~$0.0001)

This is a massive operations failurehttps://t.co/hO0M0UFBYq https://t.co/ygbr3ij4iS pic.twitter.com/PO0huxX8oQ
— ChainLinkGod.eth (@ChainLinkGod) May 30, 2022

Venus Protocol and Blizz Finance each suffered from a similar exploit in May when price oracle Chainlink’s reported LUNA price remained at $0.10 while the market price ran far below that. Blizz Finance was entirely drained while Venus lost $11.2 million.

Terra community whistleblower on Twitter, pseudonymous ‘FatMan’, warned that the Mirror exploit will affect the other ‘m’ asset pools by about 8:00am UTC on May 31. However, the account also claims that most of the pools can be saved if the developers intervene to fix the bug.

By 12:55am UTC, it appeared that the pricing error had been fixed for LUNC, as the price being verified by the oracle has returned to its real market value.

This is the second time Mirror has suffered from a major vulnerability. The previous bug in Mirror’s code was exploited “hundreds of times” since 2021 according to FatMan in a May 27 tweet. The first exploit allowed a user to unlock other users’ collateral on the protocol and pull it out themselves. In all, the first exploiter got away with “well over $30 million” and was not noticed until May 2022, he added.

On May 28, the Terra ecosystem was relaunched when Terra 2.0 went online as per founder Do Kwon’s plans. Terra 2.0 is a fork of the now-named Terra Classic blockchain. LUNA tokens are being airdropped to investors who held the previous version of LUNA and the TerraUSD (UST) stablecoin during the catastrophic collapse of the Terra ecosystem earlier this month.

Mirror Protocol (MIR) tokens are currently down 2% in the past 24 hours and are trading at $0.31 according to CoinGecko.

Price Oracle