The DeFi liquidity protocol Sentiment was attacked. An unknown actor stole over $500,000 in digital assets.
1/2
The Sentiment team is currently investigating the indictable extraction of funds from the Sentiment protocol.We have taken steps to identify the exploit’s root cause and mitigate further protocol misuse.
— Sentiment (@sentimentxyz) April 4, 2023
The project team confirmed the incident but did not disclose the loss amount. The developers launched an investigation, seeking assistance from law enforcement and analytics firms.
“The Sentiment team is currently investigating the withdrawal of funds from the protocol. We have taken steps to identify the exploit’s root cause and mitigate further malicious actions”, said Sentiment.
1/2
The Sentiment team is currently investigating the indictable extraction of funds from the Sentiment protocol.We have taken steps to identify the exploit’s root cause and mitigate further protocol misuse.
— Sentiment (@sentimentxyz) April 4, 2023
According to on-chain researchers, the attacker exploited a re-entrancy bug on Balancer to execute malicious code. He took a flash loan on Sentiment, manipulating data to inflate the collateral price and withdrew 536,738.4 USDC via the Synapse Bridge on the Arbitrum network.
Quick analysis we made with @lekhovitsky about @sentimentxyz incident: https://t.co/CHfr0lB19O
TL;DR:
Attacker used view re-entrance Balancer bug to execute malicious code before pool balances were updated and steal money using overpriced collateral— 0xmikko.eth (@0xmikko_eth) April 4, 2023
Some experts noted that this was a recurring attack.
Beosin researchers determined that losses from the attack amounted to about $1 million. They confirmed that the attacker used a reentrancy bug.
Sentiment protocol was under an attack with a loss of ~$1 million caused by a price error due to reentrancy.https://t.co/1cFOxqpbZV https://t.co/5biOuaIKCo pic.twitter.com/2Luk7YcuLA
— Beosin Alert (@BeosinAlert) April 5, 2023
According to DeFi Llama, in the wake of the hack the value of assets blocked in Sentiment plummeted by almost half—from $10.78 million to $5.27 million.
“Today’s $1 million dollar Sentiment attack involved a whole festival of classic security problems, including bad reentrancy behavior on Balancer’s part.
But the core problem was that Sentiment totaled up the assets on an AMM to get a dollar value for them. https://t.co/Q1GmqN0Dv2” said blockchain specialist Daniel Von Fange.
As reported in April, the Allbridge cross-chain bridge lost digital assets worth about $570 000 in a hacking incident.
In an interview with ForkLog, project cofounder Andrey Velikiy spoke about the real amount of damage and the attack vector on the protocol, the possibility of recovering funds, and a plan to compensate affected users.