Hedgey Finance, a notable token infrastructure platform, has reported a substantial security breach resulting in the loss of approximately $44.5 million in cryptocurrencies. This theft occurred rapidly over a span of just two hours and impacted operations on Ethereum’s layer-2 network Arbitrum as well as the Binance Smart Chain. The cyberattack exploited a specific vulnerability within Hedgey’s “createLockedCampaign” function. Utilizing flash-loaned funds to facilitate the theft, the attacker demonstrated an in-depth understanding of the platform’s operational mechanics and existing security flaws.
The attack was executed in phases, beginning with the theft of $1.9 million, which was quickly converted into the DAI stablecoin and transferred to an external address. Subsequently, the assailant replicated this method on the Arbitrum chain, leading to a more significant theft of $42.6 million. These funds were initially sourced on the ETH Chain via FixedFloat, a cryptocurrency exchange service, illustrating the sophisticated multi-chain strategy employed by the attacker.
In response to the breach, Hedgey Finance has initiated a comprehensive investigation to dissect the attack’s mechanics and identify any additional vulnerabilities that could be exploited in the future. The platform has also advised its users with active claims to cancel them using the “End Token Claim” feature on their website to prevent further losses. Additionally, Hedgey Finance is collaborating with auditors and their security team to better understand the breach and prevent future incidents.
This incident has broader implications for the cryptocurrency market, notably affecting the value of the BONUS token, Hedgey’s native cryptocurrency. Following the breach, the suspicious address linked to the attack became the largest holder of BONUS tokens, leading to a price drop of approximately 10%. Over 200,000 BONUS tokens have been transferred to the Bybit exchange, likely in an attempt by the attacker to liquidate the stolen assets, further complicating recovery efforts. This theft underscores the persistent vulnerabilities in digital asset platforms and the critical need for enhanced security measures, real-time threat detection, and proactive collaboration between technology providers and security firms.
