On April 4, a malicious exploit attacked Sentiment, a decentralized finance (DeFi) platform providing lending and borrowing services on the Arbitrum layer-2 network, resulting in a loss of approximately $1 million.
The attacker exploited a reentrancy flaw in Balancer, a liquidity protocol that interfaces with Sentiment, to conduct fraudulent transactions and drain funds from the site.
According to Sentiment’s official Twitter account, the team spotted suspicious borrowing activity on April 4 at approximately 6:00 PM UTC and promptly halted its main contract in order to prevent further loss.
In addition, the team recruited the assistance of third-party security specialists at PeckShield, who confirmed the nature and scope of the attack and offered a fix for the vulnerability.
1/4
A status update on the current situation: At approximately 06:00:00 PM +UTC The Sentiment team became aware of abnormal borrowing activity which has now been declared as a malicious exploit.
— Sentiment (@sentimentxyz) April 5, 2023
Users can now repay their debts and withdraw their funds, and Sentiment is working with law authorities and other parties to track down the hacker to recover the stolen crypto assets.
PeckShield, the security consultant for the platform, gave an in-depth analysis of the vulnerability on its blog, revealing how the attacker used a view reentrancy issue at Balancer to change pool balances and overcollateralize their loans on Sentiment.
According to Peckshield, the attacker then used flash loans to borrow and liquidate significant quantities of Sentiment tokens, making off with around $1 million worth of cryptocurrency.
The root cause is known to be the read-only reentrancy of Balancer: https://t.co/ynuWr6PZMR. Here is the related tx: https://t.co/iqvS48njau https://t.co/Mxkc1xoJn5 pic.twitter.com/IPzmtLKrBx
— PeckShield Inc. (@peckshield) April 5, 2023
DeFi Exploits Are Increasing
The assault against Sentiment is the most recent in a series of attacks aimed at DeFi platforms. On March 13, Euler Finance was the victim of a flash loan assault that resulted in the loss of digital assets valued at $197 million.
According to Peckshield’s analysis of the incident, the perpetrator stole the funds by exploiting a flaw in Euler Finance’s donation and liquidation logic.
However, the hacker returned the stolen assets following weeks of high drama that included a million-dollar reward offer from Euler, legal threats, and an apology from the perpetrator.
Read more: Euler Finance’s Bold Offer to Hacker: Keep $20M or Risk Prosecution
These attacks have increased the security concerns faced by DeFi platforms, particularly when they rely on external protocols that may contain hidden flaws or vulnerabilities.
In 2022, the crypto sector lost more than $3 billion to hackers and fraudsters, and this year has witnessed a rise in such heists and thefts. In the last month alone, hackers stole almost $21 million from DeFi protocols.