The Meter Passport token bridge platform has incurred $4.4 million in losses due to a smart contract hack, which also caused Hundred Finance to lose $3.3 million through under-collateralized loans.
Meter.io’s Meter Passport (MTRG) is a token bridge that is compatible with Ethereum and its sidechains. This attack affected the Moonriver side of the bridge.
Moonriver is a smart contract platform based on Polkadot’s Kusama network. Hundred Finance is a crypto lending platform based on the code for Compound Finance.
Starting at 2 pm UTC on Saturday and over the course of several transactions, about $4.4 million in Binance Coin (BNB) and wETH were minted through a “wrong trust assumption” in the code, according to a Sunday statement from the Meter team. In this case, an arbitrary amount of Ether (ETH) was deposited to Meter, which the hacker used to mint tokens using the vulnerability.
1. Around 6am Pacific time we identified someone was able to leverage a vulnerability of the bridge to mint a large amount of BNB and WETH tokens and depleted the bridge reserve for BNB on WETH.— ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022
The attack caused a cascade effect across the Kusama-based Moonriver ecosystem. After draining Meter of its BNB and wETH reserves, the attacker sold the BNB on SushiSwap, a popular decentralized exchange. This led to a 77% crash in the price of BNB on Moonriver at the time.
A number of opportunists then took advantage of the price dip by buying cheap BNB. They used the tokens as collateral on Hundred Finance to take out ETH, FRAX and MIM loans. Due to the discrepancy in BNB price, however, their loans were worth more than the collateral they had provided, causing a supply crisis.
2/4. Accounts were able to purchase BNB.bsc at a reduced price and use these tokens as collateral at the global Chainlink price to borrow uncompromised assets on our platform. Of these, MIM and FRAX are currently impacted.— Hundred Finance (@HundredFinance) February 6, 2022
Amazingly, two of the loans were repaid, leaving an outstanding $3.3 million in losses to the Hundred protocol. The ETH loan was entirely returned. The Hundred team has attempted to reach out to the parties involved to ask that they return the BNB tokens used as collateral to Meter.
The Meter team has committed to reimbursing its community and Hundred Finance for losses incurred due to the hack. The team stated on Sunday that it had set aside $4.4 million in MTRG tokens to cover initial losses.
Vfat the pseudonymous founder of Hundred Finance, said in a statement to Rekt News on Sunday that:
“Meter have of course accepted responsibility for this hack and are intending to use their native token for reimbursement to the extent that they can, currently we are in the gathering addresses and amounts stage.”
The blockchain security firm PeckShield estimated that in total, 1,391 ETH and 2.74 wBTC were taken by the attacker and have since been sent to Ethereum where the tokens have gone through Tornado Cash, an ETH transactions privacy tool.
A representative from the Hundred Finance team told Cointelegraph that it would wait about a day before taking steps to reopen MIM and FRAX markets on the Moonriver side of itsplatform. In response to a question on bridge security, the Hundred team told Cointelegraph:
"We hope bridges will strengthen their security and make their tech safer. As for us we will be even more stricter with assets and bridges on new chains."
The initial details of the exploit of Meter’s code resemble the Wormhole hack on Thursday in which 120,000 wETH ($321 million) were maliciously minted and extracted from Wormhole’s platform. In that incident, the hacker exploited a smart contract bug to mint wETH at will and sent the tokens to Ethereum, where they were washed via Tornado Cash.
Article updated to add the ETH loan on Hundred Finance has been paid back.