A hacker happened to have siphoned off crypto valued at nearly $1 million from Sentiment. The company happens to be a DeFi protocol on the Ethereum Layer 2 network, Arbitrum. Sentiment, on its own part, has put out an offer to the hacker, mentioning the fact of a 10% bounty in the case that he decides to return the total amount.
The theft is carried out through an on-chain message that was text inscribed on a blockchain transaction. The offer that Sentiment happened to have put forth was to the tune of a bounty of $95,000. The condition was a deadline period that had been set as the 6th of April, 2023.
In the message, there was also the mention that, just in case the company found itself not having received the amount from the hacker by the end of the deadline, they would instead offer the same amount to any individual who would assist them in identifying the hacker, and then accordingly prosecute him for his fraudulent act.
According to the head of Research at Wintermute, Igor Igamberdiev, this is not exactly a very uncommon incident taking place. In his expert opinion, the hacking was carried out because of the read-only reentrancy bug, which happened to have been exposed by ChainSeurity, a smart contract auditor.
A reentrancy attack happens to take place when a smart contract is unable to update its status prior to the release of funds. In this scenario, the hacker seems to get down to business and makes frequent calls to the contract’s withdrawal function in order to successfully siphon off the funds.
In the opinion of Igamberdiev, there happened to have been the exploitation of a minimum of three protocols, with the utilization of the particular read-only reentrancy bug, which happens to contain the incorporation of a particular Curve or Balancer’s pools for locating prey.
It happened to have been on Tuesday when the hacker made use of the read-only reentrancy bug to take advantage of incorporation between Sentiment and the decentralized exchange Balancer. In this way, the protocol happened to have been fooled, and it allowed the hacker to siphon off nearly $1 million in terms of user funds. This was in the form of USDC, as well as USDT stablecoins and Bitcoin, along with Ether.