The hacker was able to borrow $1.6 million due to a bug in the system by depositing only a $70 GMX token. The development team is planning to rewrite the code as a solution.
White hat hackers, with their trusty keyboard and an arsenal of code, infiltrated the decentralized-finance (DeFi) platform TenderFi and walked away with a cool $1.6 million. Instead of keeping the loot for themselves, they returned the stolen funds and walked away with an ETH bug bounty worth $850,000.
TenderFi, like any good DeFi platform, uses a price feed to keep things in check. But they made the classic mistake of upgrading their price feed to relay data from a Chainlink pricing oracle without properly double-checking everything.
As a result, a little error snuck in, and the hacker was able to deposit just one GMX token, which is worth a measly $70, and suddenly trick the system into thinking they had infinite borrowing power.
The hacker made out like a bandit and extracted $1.6 million from the protocol. But they didn’t just leave with the cash. They left an on-chain message that read, “It looks like your oracle was misconfigured. Contact me to sort this out.” The hacker essentially gave TenderFi a wake up call to tighten up the protocol security.
TenderFi reached out and agreed to pay the white hat hacker the ETH bug bounty. But they didn’t stop there. The protocol plans to deploy a new rewritten oracle contract before unpausing borrowing, ensuring that no one can pull this kind of shenanigans again. Plus, they’ve vowed to repay any unpaid debt left behind by the hacker.
TenderFi protocol token, TND, took a hit and plunged by 34% on the day of the heist due to a crypto market rout, although the token is currently trading at $1.86, up 6% from its lows.