Stablecoin DEX ‘Saddle Finance’ Exploited for $10 Million
Decentralised exchange Saddle Finance was hacked over the weekend, resulting in the loss of over US$10 million in funds. The DEX is working with blockchain security organisation BlockSec to return some of the lost funds and at the time of writing the identity of the hacker remained unknown.
Saddle Finance is an automated market maker that specialises in the trading of stablecoins and other pegged assets such as wrapped BTC.
Timeline of the Hack
According to on-chain data, the hack occurred at 7:40am UTC on April 30, with the hacker initially stealing approximately US$14.8 million in assets.
Twitter user @web3isgreat, who catalogues blockchain hacks, claims it was a flash loan attack and, once stolen, the assets were funnelled through Tornado Cash to anonymise the transactions and make tracking the hacker virtually impossible:
Based on Twitter interactions, it appears BlockSec’s monitoring and attack blocking systems detected the exploit shortly after it began. Once aware of the attack, BlockSec tweeted an alert to Saddle Finance:
Around 20 minutes later, Saddle Finance tweeted that it was investigating a “possible exploit” and had paused pool withdrawals, later clarifying that only metapool withdrawals had been suspended:
Correction: Only metapools are paused. Single-asset withdrawals are currently restricted, but balanced pool withdrawals are always possible
— Saddle (@saddlefinance) April 30, 2022
Around two hours after it was first notified about the hack, Saddle tweeted that BlockSec had been able to secure approximately US$3.8 million of the lost funds:
White hat hackers @BlockSecTeam were able to secure $3.8m. The team is in contact with them to return the funds
— Saddle (@saddlefinance) April 30, 2022
In all, over US$10 million in assets remain missing with little chance of recovery.
In a worrying trend, DeFi hacks are becoming an increasingly common occurrence. In February, Meter.io was hacked for US$4.4 million and March saw Axie Infinity lose US$625 million in what has since been assessed as the largest DeFi exploit on record.