Crypto trading platform Hashflow has assured affected users will be “made whole” following an exploit that saw at least $600,000 in digital assets removed from the platform.
On June 14, blockchain security firm Peckshield reported an ongoing issue with the Hashflow trading platform.
“It appears there is an approve-related issue,” the firm noted, reporting losses of around $600,000 in Arbitrum (ARB) and Ethereum (ETH).
A couple of hours later, Hashflow alerted users that they were addressing the current situation related to contract approvals as flagged by Peckshield, adding:
“All users comprising the ~$600K affected will be made whole.”
The firm, which provides cross-chain swaps as part of its trading services, added that its decentralized exchange “was in no way impacted and remains fully operational.”
Peckshield suggested that the hacker that carried out the exploit may be a white hat hacker, as they provided a contract with a recovery function along with a second option for a donation.
Hashflow updated its status on June 15 providing recovery instructions for those affected by the exploit which impacted Ethereum, Arbitrum, Avalanche, BNB Chain, and Polygon.
Users were told they must “revoke approvals before recovering funds.”
There are two options for fund recovery, the first is for total funds and the second will donate 10% to the supposed white hat hacker that exploited the vulnerability but prevented further losses in doing so.
DeFi enthusiast ‘YannickCrypto’ detailed the process noting that the white hat had verified the contract but warned that users must revoke token allowances to depreciated contracts or they’ll get hacked again.
Hashflow’s native token, HFT, fell 7% in the 12 hours following the incident, falling to $0.338 at the time of writing, according to CoinGecko. The token remains down 90% from its November 2022 all-time high of $3.61.
It is the second DeFi exploit this week as lending platform Sturdy Finance lost around $800,000 worth of Ethereum on June 12. The vulnerability was related to price manipulation, according to Peckshield which issued the alert.
Sturdy Finance offered a bounty of $100,000 to the exploiter for the return of the funds.