CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Incident Analysis
Post Mortem: Hector Network
1/17/2024
Post Mortem: Hector Network

Project name: Hector Network

Project type: DeFi

Date of exploit: Jan 15th, 2024

Asset loss: $2.7M

Vulnerability: Centralization Risk / Private Key Leak / Inside Job

Date of audit conducted: Dec 19th, 2023

Conclusion: Out of audit scope

Details of the Exploit

Background

The affected codebase is related to Hector Network’s liquidation process, which distributes the treasury to the token holders from the Fantom Chain to the ETH Mainnet. For example, users can register HEC on Fantom and claim USDC on Mainnet based on a rate determined by the backend.

In detail, users will first need to register their wallets with qualifying tokens. A privileged role, "moderator," can call the "AddEligibleWallet()" function with the amount that users can claim. Finally, the registered eligible wallets will be able to claim the assets via mintWithdraw.

Nature of the Vulnerability

The centralized AddEligibleWallet function grants the deployer(i.e., moderator) the capability to designate specific addresses (i.e., in this exploit addresses 0x86D3E3e) as the eligible wallet in transactions 0x1b813d9. The eligible wallet is able to call mintWithdraw and trigger transferRedemption to drain assets from the treasury with transactions 0xd1b342c. Screenshot 2024-01-17 at 1.10.58 PM

CertiK Audit Overview

Screenshot 2024-01-17 at 1.11.52 PMScreenshot 2024-01-17 at 1.12.18 PMScreenshot 2024-01-17 at 1.13.32 PMScreenshot 2024-01-17 at 1.13.46 PM

Conclusion

In light of the $2.7 million withdrawal incident from Hector Network's contract, we have gathered all the relevant information and are committed to maintaining transparency with the public.

Further examination linked these activities to the centralized "AddEligibleWallet" function. This function permits the deployer(i.e., moderator) to nominate arbitrary addresses as eligible wallets. These eligible wallets have the capability to execute the “mintWithdraw” function and trigger “transferRedemption”, leading to the extraction of assets from the HectorRedemptionTreasury contract.

In conclusion, a CertiK audit report dated December 19, 2023, had previously pinpointed the risks associated with centralization, urging the team to explore alternative approaches to reduce the vulnerability of a single point of failure in centralized roles operation. Despite this, the client expressed their preference to retain the centralized mechanism due to operational reasons.

While CertiK respected the client's decision, the firm maintained its stance that the risk issue was NOT adequately addressed, and thus, the status of the findings remained classified as "Acknowledged."

References

Related Stories
Post Mortem: Fintoch
Blogs
Incident Analysis
On May 5th, 2023, the Fintoch was rugpulled, leading to a loss of ~$31.6M.
1/8/2024
Post Mortem: Sushiswap
Blogs
Incident Analysis
On April 9th, 2023, the RouteProcessor2 in Sushiswap was exploited due to missing validation on the input with processRoute function. The total loss is around $ 3.3 M.
1/8/2024
Post Mortem: Safemoon
Blogs
Incident Analysis
On Mar 28th, 2023, the Safemoon token contract was attacked, leading to a loss of $8.9M. The attacker took advantage of the public burn function and drained funds from the LP pool.
1/8/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;