Security Vulnerability Causes Hedgey Finance to Lose Millions of Dollars

Token infrastructure platform Hedgey Finance lost millions of USD in assets within 2 hours on layer 2 network Arbitrum and Binance Smart Chain.

Hedgey Finance Lost Millions of Dollars

In a shared statement, blockchain security firm Cyvers explained that an attacker exploited Hedgey's “createLockedCampaign” function. He used flash-loaned funds to withdraw money.

An analysis of the heist found that the attacker stole $1.9 million. This amount was then immediately converted to stablecoin DAI. He has now transferred the assets to an outside address.

This person implemented a similar vulnerability on the Arbitrum chain. He stole another 42.8 million USD on the ETH chain via FixedFloat.

Cyvers commented that “despite the discovery, efforts to contact the Hedgey Finance team were unsuccessful.” They recommended more expanded cooperation between dApps and security companies to “mitigate risks and rebuild trust.”

Consequences of the Attack

After the attack, the above suspicious address became the main owner of BONUS tokens. BONUS is the native digital asset of BonusBlock. This is  a project focused on attracting and onboarding high-quality users into the Web3 ecosystem.

According to data from CoinMarketCap, the value of this digital asset has decreased by about 10% to 0.5084 USD.

Notably, the attacker moved more than 200,000 BONUS tokens worth $110,000. And the destination of this transaction is Bybit.

Hedgey Finance's Response

Hedgey Finance announced an ongoing investigation into the attack in response to the exploit. The company quickly advised users with active claims to cancel them using the “End Token Claim” feature on the platform's website. They added:

“We are actively working with our auditors and teams to understand the attack and prevent any ongoing attacks. We will share more information as more details become available.”

Multiple fake accounts impersonating the Hedgey protocol have appeared on social network X. They are urging users of the hacked platform to request refunds or revoke smart contract approvals through phishing links suspect.