White Hacker Hits Crypto Exchange, Returns Funds then Scores a Hefty Bug Bounty

A hacker figured out a way to “steal” $1.6 million worth of assets from the Tender Protocol pools. The good news is that it was a white hacker who agreed to return all of the funds, earning a bug bounty for his troubles.

The crypto market had a rough 2022, with too many security incidents to count. Judging from how 2023 started, this year doesn’t seem any better. There was little hope when the news of the  $1.6 million hacked from the DeFi platform hit. Fortunately, this is one crypto story with a happy ending.

Most hacks end up with the money gone or blocked from transactions. In some cases, authorities managed to track down funds and recover some funds, but that’s rarely the case.

“Although the borrower had deposited just 1 GMX of collateral, the user was able to borrow $1.59 Million dollars worth of assets,” explained the DeFi team.

“While investigating the incident, we discovered that the code integrating the new oracle contained an error, and was returning a number with too many zeros behind it,” the team added. “This type of bug is notoriously common in Solidity contracts, which store numbers as integers without decimal points. Often, the decimal place is implicit, and the programmer must account for the precise number of decimals elsewhere.”

Immediately after noticing the discrepancies, the team decided to pause borrowing.

Fortunately, the hacker contacted them and left a simple on-chain message: “It looks like your oracle was misconfigured. Contact me to sort this out.”

The hacker agreed to return all of the loans and received a bug bounty worth 62.16 ETH, or around $98,000. DeFi resumed borrowing quickly after.