- The individual responsible for exploiting the DeFi lending platform Tender.fi has relinquished the stolen funds in exchange for a bounty reward of $97,000
- The whitehat hacker took $1.59 million through exploiting the protocol, then infomed operators of the exploit
- This is one of the few examples of hacks working out for the best
The individual responsible for exploiting the DeFi lending platform Tender.fi has relinquished the stolen funds in exchange for a bounty reward of $97,000 in ETH. The exploit occurred yesterday, with Tender.fi confirming the incident on Twitter just after 10:30am. The platform cited “an unusual amount of borrows” and declared a temporary halt to all borrowing while it investigated the issue, which led to the discovery that someone had exploited a price oracle glitch to borrow $1.59 million worth of assets from the protocol after depositing just one GMX token, valued at roughly $71. However, the funds have now been returned after the individual struck a deal with the protocol operators.
Hacker Left On-chain Message
Tender.fi was already aware of the exploit when the exploiter contacted them through an on-chain message to inform them of a weakness in their processes:
It looks like your oracle was misconfigured. contact me to sort this out.
Tender.fi contacted the individual and, over the next few hours, came to an agreement, informing the community via Twitter that it had arranged a compromise:
We have come to an agreement with the White Hat, an on chain transaction was sent with an attached message that contains the terms of this agreement. https://t.co/9a5IsgID0Q
— Tender.fi (@tender_fi) March 7, 2023
The agreement saw the “White Hat” repay all the borrowed loans minus 62.15 ETH, which was labelled “a Bounty for helping secure the protocol”. This loss will be covered by the Tender.fi team, ensuring that there is no “bad debt” and users will remain unaffected.
Whitehat Hacks Are Uncommon
Whitehat hacks are rare in the crypto world, but not unheard of. In September 2020 a whitehat hacker saved 25,000 ETH, worth $10 million at the time, from potentially being stolen from the Lien Finance Ethereum smart contract after finding and intentionally exploiting a serious flaw. In October 2021 a similar sum was saved when a whitehat hacker discovered and intentionally executed a critical vulnerability in the Belt protocol, which earned him a $1 million bounty.
One of least known yet potentially devastating whitehat hacks was carried out by an opportunist, who, in May 2011, managed to steal 300,000 MtGox bitcoin from Mark Karpelès’ home computer while the CEO was trying to get his faulty machine back online. Fortunately for Karpelès the hacker had a conscience and contacted Karpelès to return the loot, minus 3,000 bitcoins he kept as a reward for his ‘honesty’.
That haul today would be worth a staggering $6.6 billion (the bounty alone is worth $66 million), and would have killed MtGox there and then.