Gamma Protocol Hacker Moves Funds Through Tornado Cash

Reading Time: 2 minutes
  • Gamma Strategies’ exploiter has moved some funds through the sanctioned coin-mixing service Tornado Cash
  • Gamma had sent the hacker an on-chain message with hopes of offering a bug bounty
  • The protocol lost roughly $3.4 million

The Gamma Strategies hacker has been seen moving part of the loot through sanctioned coin-mixing service Tornado Cash, decreasing the chances of a possible return of the funds that the platform had hoped. According to blockchain security firm PeckShield, the attacker moved 1,000 ETH worth approximately $2.2 million, leaving roughly $1 million of the stolen funds unmoved. The hacker’s actions come despite the protocol sending an on-chain message requesting him to keep a small percentage of the funds and return the rest, a sign that the attacker may not be interested in negotiating with the Gamma team.

Preliminary Results are Out

Apart from using Tornado Cash, the attacker is also swapping remaining funds for other coins and moving them between chains. In its latest update on X (formerly Twitter), Gamma disclosed that they “have preliminarily reached the root cause of the recent exploit on [their] vaults.”

According to the protocol, the attacker used a loophole in a setting that disallows deposits “when price change exceeds a certain amount.” 

Gamma revealed that the threshold for stopping deposits was placed extremely high (up to 200%) allowing the exploiter to manipulate token prices in exchange for a “high number of LP tokens.”

A Deposit is Required to Conduct an Attack

Gamma Strategies has already stopped deposits saying that it helps stop further losses since “a deposit is required” to conduct such an attack. The protocol will re-enable the option once it conducts a detailed post-mortem of the incident. 

It added that it’s committed to recovering the funds and “mitigate the risk going forward.” The platform has however not provided a concrete timeline for when it’ll start reimbursing victims or when it expects to open up deposits.

With the attacker moving funds through Tornado Cash and multiple chains, likely, they won’t return the funds for a bounty.