Hacker breaches DeFi lending platform, but ‘forgets’ to withdraw his $1mn exploit

In a rather curious turn of events, a hacker who managed to successfully exploit a vulnerability in a decentralised finance (DeFi) lending platform seemingly ‘forgot’ to withdraw over $1 million from the platform. Due to the way cryptocurrencies and blockchain work, this amount is now lost forever, meaning that eventually, the entire hack went in vain.

Yesterday, on April 21, blockchain security firm PeckShield reported that Zeed, a rather small DeFi lending protocol, suffered a breach. This said breach was linked to the protocol’s reward handout system, through which lenders on the platform earned extra crypto token rewards. The hacker in question breached this system, thereby managing to mint extra tokens within the protocol.

This saw the hacker bringing the platform’s token price down to zero, and netting over $1 million in Binance-Peg (BSC-USD) token.

After the exploit, the hacker followed due process by transferring all the stolen tokens to a smart contract, which was pre-decided. Such a contract in crypto heist parlance is called an ‘attack contract’.

However, this is where the attacker seemingly killed the smart contract before withdrawing the heist from it. While killing the smart contract was in order to try covering the steps of the exploit, by killing the contract before making the withdrawal, the hacker essentially lost the entire exploit – permanently.

A DeFi lending protocol, such as Zeed, typically allow users to lend or borrow cryptocurrencies – and offers rewards in additional tokens for either party upon successful execution of smart contracts.

Smart contracts themselves are programmes on a blockchain that are executed upon fulfilling pre-decided conditions. Such contracts can be set to withdraw funds to a wallet and subsequently self-destruct to remove traces of the contract’s code – something that helps attackers to try and cover their steps.

However, in this case, the hacker appears to have pulled the chain on the contract without having instructed a withdrawal of the stolen tokens – which PeckShield confirmed is now lost permanently.

The incident, however, still highlights how DeFi protocols are still easily breachable. Multiple reports have stated that a majority of the various DeFi hacks, which have gone into millions of dollars over the past one year, happen due to flaws in the coding of the platforms. These flaws are being readily exploited by hackers across small and large platforms alike – something that led to losses of over $1.3 billion in just the last year itself.