Due to a $2 million exploit, prospective users of an Arbitrum-based decentralized finance (DeFi) project are out of pocket.
An announcement from Hope Finance’s Twitter account alerting users to the scam prompted Web3 security firm CertiK to flag the incident on Feb. 21.
Its Twitter account was launched in January 2023 and outlined plans for an algorithmic stablecoin called Hope token (HOPE), which dynamically adjusts its supply based on Ether’s price.
The account claims a Nigerian national executed the scam and transferred $1.86 million to Tornado Cash shortly after it went live on Feb. 20. As a result of the scammer changing the smart contract details, funds were drained from Hope Finance genesis protocol, according to a CertiK member
“It appears that the scammer changed the TradingHelper contract which meant that when 0x4481 calls OpenTrade on the GenesisRewardPool the funds are transferred to the scammer.”
Cognitos officials audited the Hope Finance smart contract on Feb. 13
Although Cognitos flagged these vulnerabilities, the smart contract code passed the audit despite the incorrect modifier and possible reentrancy attacks.
As a result of the scam, Hope Finance shared information with users regarding emergency withdrawals of staked liquidity from the protocol.
With Arbitrum, Ethereum’s layer-2 roll-up network, smart contracts can scale exponentially. With Optimism, Ethereum’s layer-2 protocol, the two layer-2 protocols continue to handle an increasing amount of transactions.