Hector Network Liquidation Redemption Contract Suspected to Be Attacked, Incurs Approximately $2.7 Million in Losses
User @0xBoboShanti claims that the redemption contract of Hector Network, a project in the Fantom ecosystem, appears to have been attacked, resulting in a loss of approximately $2.7 million. On January 15, Hector Network deployed a new contract to facilitate liquidation and transferred $11 million in assets from a multisignature address to the HectorRedemptionTreasury contract.
According to @0xBoboShanti, “To receive funds from HectorRedemptionTreasury, users need to call mintWithdraw(...) on the TokenVault contract. This will require: retrieving the user's redeemAmount from the recipientTokens mapping; calling the internal mintwithdraw(); minting an NFT in _mintWithdraw(); transferring the funds from HectorRedemptionTreasury to the user, and then destroying the NFT. There is a conditional check in _mintwithdraw(). Most notably, it requires the recipient to be present in the eligibleWallets mapping. So, how did users not in eligible wallets exchange $2.7 million? Why is their redeemAmount (obtained from the recipientTokens mapping) $2.7 million? This is because the deployer explicitly added this wallet to the mapping... Upon receiving USDC, this wallet rapidly exchanged 2.7 million USDC for 1100 ETH via UniswapX. 440 ETH was sent to a new wallet, and then 358 ETH was sent to 4 other new wallets. Shortly after, the Hector Network multisignature address called withdrawAll() on HectorRedemptionTreasury, returning the remaining 9 million USDC to the multisignature address. Since the wallet was explicitly added to the TokenVault contract by the deployer, the most likely explanation is a leaked private key or a rogue developer.”
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
Slowmist Releases October Web3 Security Incident Report
TEAMZ Web3・AI Summit 2025: Bringing Global Leaders to Tokyo
Russia Establishes Legal Framework and Standards for Crypto Mining
Japan’s Crypto Industry to Launch “Self-Regulation” of Stablecoins
0.00