Post Mortem: Hector Network
Contents
Post Mortem: Hector Network
2024. 1. 17.
Twitter Logo
Telegram Logo
Reddit Logo
Reddit Logo
Post Mortem: Hector Network
Project name: Hector Network
Project type: DeFi
Date of exploit: Jan 15th, 2024
Asset loss: $2.7M
Vulnerability: Centralization Risk / Private Key Leak / Inside Job
Date of audit conducted: Dec 19th, 2023
Conclusion: Out of audit scope
Details of the Exploit
Background
The affected codebase is related to Hector Network’s liquidation process, which distributes the treasury to the token holders from the Fantom Chain to the ETH Mainnet. For example, users can register HEC on Fantom and claim USDC on Mainnet based on a rate determined by the backend.
In detail, users will first need to register their wallets with qualifying tokens. A privileged role, "moderator," can call the "AddEligibleWallet()" function with the amount that users can claim. Finally, the registered eligible wallets will be able to claim the assets via mintWithdraw.
Nature of the Vulnerability
The centralized AddEligibleWallet function grants the deployer(i.e., moderator) the capability to designate specific …
2024. 1. 17.
Twitter Logo
Telegram Logo
Reddit Logo
Reddit Logo
Post Mortem: Hector Network
Project name: Hector Network
Project type: DeFi
Date of exploit: Jan 15th, 2024
Asset loss: $2.7M
Vulnerability: Centralization Risk / Private Key Leak / Inside Job
Date of audit conducted: Dec 19th, 2023
Conclusion: Out of audit scope
Details of the Exploit
Background
The affected codebase is related to Hector Network’s liquidation process, which distributes the treasury to the token holders from the Fantom Chain to the ETH Mainnet. For example, users can register HEC on Fantom and claim USDC on Mainnet based on a rate determined by the backend.
In detail, users will first need to register their wallets with qualifying tokens. A privileged role, "moderator," can call the "AddEligibleWallet()" function with the amount that users can claim. Finally, the registered eligible wallets will be able to claim the assets via mintWithdraw.
Nature of the Vulnerability
The centralized AddEligibleWallet function grants the deployer(i.e., moderator) the capability to designate specific …