A suspected exploit of the Feed Every Gorilla (FEG) token’s “SmartBridge” left holders down 99% on Sunday, after the hacker sold off the proceeds into existing liquidity.
In what must feel like a depressingly familiar series of events, this attack is the third to hit the project following two separate incidents in 2022.
Read more: Are North Korean hackers liquidated on HyperLiquid planning something?
The project’s response to the “Irregular Transactions” acknowledged its users’ frustration, which were shared by the team. It initially suspected “a vulnerability in the wormhole bridge, which had previously undergone an audit” by Peckshield (which claims to have identified the root cause, but is yet to comment officially).
In the meantime, crypto security and auditing firm BlockSec conducted its own analysis of the hack, finding that “only the relayer can register withdrawal in the SmartBridge. However, when receiving a wormhole bridge message, the relayer doesn’t check if the source address is allowed to trigger the withdrawal registration.”
The hacker was then able to craft a malicious bridge message on one chain, fraudulently withdraw large amounts of FEG on the destination chain, and swap it for the existing liquidity. The same three steps were followed on each chain.
The FEG token ties together the project’s “SmartDeFi” token launchpads on ETH, Base and BNB Chain. According to Cyvers, the attacker made over $1 million dumping the tokens: 96 ETH, 73 ETH and 712 BNB profit on each chain, respectively.
Many voiced their frustrations and disbelief via X despite replies to the team’s statement being disabled. Users remarked on the loss of credibility, a lack of surprise, feeling “trapped,” and even suggesting the events may have been inside jobs.
Some did show support, however, pointing to the team’s “proactive approach” and taking comfort in FEG’s “real-world utility,” while dismissing security concerns as “woke.”
This isn’t FEG’s first rodeo
May 2022 saw the project lose $1.3 million to a flash loan attack which also exploited a data validation issue to drain FEG tokens. Despite “respectfully request[ing]” the return of stolen funds, they were laundered via Tornado Cash a few days later.
Read more: DeFi project Delta Prime hacked again — months after private key leak
After such a blow, FEG opted to use a third-party solution, locking its token’s liquidity with Team Finance to inspire confidence that users’ money would remain safe.
But in October of that same year, the token suffered a loss of almost $2 million when four of these “bulletproof” liquidity locks were exploited due to a fault in the migration system to move liquidity from Uniswap v2 and v3. The incident saw a total of over $15 million lost between the affected teams, though most funds were later returned.
Read the full article here