Full Report
Hedgey Finance is a token vesting and locking tool. I linked one article but I also like the Rekt News article. During a campaign creation, the user transfers the locked tokens to a smart contract for usage by the sending contract. When doing this, the contract gives an allowance to a manager contract to spend the funds. If a user cancels the campaign prior to it starting, they are refunded all of the value they put in. The vulnerability is that the allowance is not revoked when canceling the campaign. So, this leads to a super easy to exploit double spend. The attacker wanted to maximize the damage that was done. So, they took out a USDC flash laon from balancer to start and then cancel the campaign. In order to avoid bots frontrunning the exploit, they did the steps above in the first transaction then waited a bit. After waiting, they abused the allowance of $1.3M from the cancellation to steal all of the funds. Boom, money stolen! This had been previously audited but the bug was not found. I had never seen the pattern of a smart contract giving an allowance out to users. Overall, a fairly simple approval bug in a weird context.
Analysis Summary
# Incident Report: Hedgey Finance Double-Spend Approval Exploit
## Executive Summary
On April 19, 2024, Hedgey Finance was targeted in a multi-chain exploit resulting in approximately $48 million in lost assets. The attacker leveraged a business logic flaw in the `ClaimCampaigns` contract where token allowances were not revoked upon campaign cancellation. By using flash loans to create and then immediately cancel campaigns, the attacker maintained unauthorized "ghost" approvals to drain the contract’s treasury.
## Incident Details
- **Discovery Date:** April 19, 2024, 07:07:03 UTC (by CUBE3.AI ML models)
- **Incident Date:** April 19, 2024
- **Affected Organization:** Hedgey Finance
- **Sector:** Decentralized Finance (DeFi) - Infrastructure/Vesting
- **Geography:** Global / Decentralized
## Timeline of Events
### Initial Access
- **Date/Time:** 2024-04-19 06:46:23 UTC
- **Vector:** Exploitation of a "hidden" allowance vulnerability in the smart contract logic.
- **Details:** The attacker's EOA (0xded2...) was funded via ChangeNOW and deployed a malicious exploit contract (0xc793...) at 07:00:11 UTC.
### Lateral Movement
- **Details:** After successfully exploiting the Ethereum mainnet contract, the attacker (or copycats) replicated the exploit across multiple chains where the same vulnerable code was deployed, including Binance Smart Chain, Polygon, Arbitrum, and Avalanche.
### Data Exfiltration/Impact
- **Details:** At 07:06:47 UTC, the first major drain occurred. The attacker utilized a Balancer USDC flash loan to artificially inflate their interactions with the contract. By canceling a large campaign, they received their funds back but retained a $1.3M allowance, which they then used to steal the contract's actual holdings.
### Detection & Response
- **Detection:** CUBE3.AI’s ML model flagged the preparation transaction at 07:00:31 UTC and the exploit at 07:07:03 UTC.
- **Response:** Hedgey Finance issued a public alert hours later, advising users to cancel active claims. Security communities flagged "fishing" accounts (e.g., hedgeylfinance) attempting to capitalize on the chaos.
## Attack Methodology
- **Initial Access:** Direct interaction with the `ClaimCampaigns` smart contract.
- **Persistence:** Not applicable (Smart Contract exploit); however, the attacker utilized a "wait period" between preparation and execution to avoid front-running bots.
- **Defense Evasion:** Executing the attack in two separate transactions to mask the intent from automated mev-bots.
- **Discovery:** Identifying a flaw in the `cancelCampaign` function which failed to reset the `allowance` given to the manager contract.
- **Impact:** Abuse of the unrevoked allowance to transfer tokens from the victim contract to the attacker's address.
## Impact Assessment
- **Financial:** Estimated $48,000,000 USD total loss across multiple chains.
- **Data Breach:** None (Non-custodial protocol), but user fund security was compromised.
- **Operational:** Protocol functionality halted; users advised to manually revoke permissions and cancel claims.
- **Reputational:** High; the vulnerability existed in code previously audited by Consensys Diligence in June 2023.
## Indicators of Compromise
- **Attacker EOA:** `0xded2b1a426e1b7d415a40bcad44e98f47181dda2`
- **Exploit Contract:** `0xc793113f1548b97e37c409f39244ee44241bf2b3`
- **Vulnerable Contract:** `0xbc452fdc8f851d7c5b72e1fe74dfb63bb793d511`
- **Behavioral:** High-volume USDC flash loans followed by immediate campaign creation and cancellation.
## Response Actions
- **Containment:** Public advisory for users to interact with the official dashboard to secure remaining funds.
- **Eradication:** Identification of the logic bug (missing `increaseAllowance(0)` or similar revocation logic).
- **Recovery:** Ongoing efforts to track stolen funds across chains and monitor ChangeNOW/exchange exit points.
## Lessons Learned
- **Audit Limitations:** Even reputable audits can miss "simple" logic flaws if the pattern (giving allowances to users/managers from a contract) is unconventional.
- **State Management:** When a process (campaign) is reversed (canceled), all associated state changes (allowances) must be explicitly reverted.
- **Cross-Chain Risk:** Vulnerabilities in a single codebase are amplified exponentially when deployed via identical addresses across multiple EVM chains.
## Recommendations
- **Strict Allowance Management:** Ensure all smart contract approvals are set to zero immediately after the intended transaction or upon cancellation of a state.
- **Runtime Protection:** Implement RASP (Runtime Application Self-Protection) tools that can block suspicious transactions based on behavioral patterns (e.g., flash loan abuse) before they finalize.
- **Post-Audit Peer Review:** Focus specifically on unconventional accounting patterns during internal reviews.