Hector Network Liquidation Redemption Contract Suspected to Be Attacked

User @0xBoboShanti claims that the redemption contract of Hector Network, a project in the Fantom ecosystem, appears to have been attacked, resulting in a loss of approximately $2.7 million. On January 15, Hector Network deployed a new contract to facilitate liquidation and transferred $11 million in assets from a multisignature address to the HectorRedemptionTreasury contract.

According to @0xBoboShanti, “To receive funds from HectorRedemptionTreasury, users need to call mintWithdraw(...) on the TokenVault contract. This will require: retrieving the user's redeemAmount from the recipientTokens mapping; calling the internal mintwithdraw(); minting an NFT in _mintWithdraw(); transferring the funds from HectorRedemptionTreasury to the user, and then destroying the NFT. There is a conditional check in _mintwithdraw(). Most notably, it requires the recipient to be present in the eligibleWallets mapping. So, how did users not in eligible wallets exchange $2.7 million？ Why is their redeemAmount (obtained from the recipientTokens mapping) $2.7 million？ This is because the deployer explicitly added this wallet to the mapping... Upon receiving USDC, this wallet rapidly exchanged 2.7 million USDC for 1100 ETH via UniswapX. 440 ETH was sent to a new wallet, and then 358 ETH was sent to 4 other new wallets. Shortly after, the Hector Network multisignature address called withdrawAll() on HectorRedemptionTreasury, returning the remaining 9 million USDC to the multisignature address. Since the wallet was explicitly added to the TokenVault contract by the deployer, the most likely explanation is a leaked private key or a rogue developer.”