This article is more than one year old

Arbitrum DeFi protocol Sentiment loses $1m to a hacker, sets 10% recovery bounty

A hacker has stolen almost $1 million worth of crypto from Sentiment, a DeFi protocol on the Ethereum layer 2 network Arbitrum.

Now, as has become common after crypto hacks, the protocol’s developers are offering a 10% bounty to the thief for the safe return of funds.

In an on-chain message — text inscribed on a blockchain transaction — Sentiment offered the hacker a $95,000 bounty, if the funds are returned by 8:00 UTC on April 6.

“If the hacker has not returned the funds by the above time, we will give any person the same $95k if you help us find and prosecute the person responsible for this theft,” the message said.

Stay ahead of the game with our weekly newsletters

“I don’t think the Sentiment exploit was really anything new,” Igor Igamberdiev, head of research at crypto liquidity provider Wintermute, told DL News. He said the hack was due to the “read-only reentrancy” bug which was discovered over a year ago by smart contract auditor ChainSecurity.

NOW READ: Recovering scammed assets should be easier with blockchain data but it’s not

A reentrancy attack occurs when a smart contract fails to update its state before sending funds. This lets an attacker continuously call the contract’s withdraw function to drain funds.

According to Igamberdiev, at least three protocols have been exploited using the specific read-only reentrancy bug since it was discovered. “The exploiters just had to look at various protocols having integration of specific Curve or Balancer’s pools to find a victim,” he said.

Join the community to get our latest stories and updates

At around 17:50 UTC Tuesday, the hacker used the read-only reentrancy bug to exploit an integration between Sentiment and the decentralised exchange Balancer. This tricked the protocol into letting the hacker withdraw almost $1 million of user funds denominated in the USDC and USDT stablecoins, Bitcoin, and Ether.

Assets deposited into Sentiment

Since conducting the exploit, the hacker has converted all the stolen funds into Ether and used a crypto bridge to transfer them from Arbitrum to the Ethereum mainnet.

Sentiment initially addressed the situation on Tuesday evening, acknowledging that the protocol had suffered a “malicious exploit,” and informing its users that it had already deployed a fix.

“Recovery of user funds will continue to be our main objective moving forward,” the post read.

Onlookers were quick to point out that Sentiment is insured by Sherlock, a smart contract audit marketplace that acts as a way for DeFi protocols to buy coverage against code exploits. Sentiment has $2 million coverage through Sherlock, enough to cover all the funds lost from the exploit if its claim is valid.

NOW READ: Euler hacker returns $176m of stolen funds amid ‘ongoing’ negotiations

The Sentiment hack is not the first time a Sherlock-insured DeFi protocol has suffered an exploit in recent weeks. In March, a hacker exploited the DeFi lending protocol Euler Finance for almost $200 million. Shortly after the hack, Euler claimed $4.4 million on its insurance from Sherlock.

Although Euler has since recovered almost all the stolen funds, it’s still unclear whether Euler is obligated to return the $4.4 million insurance payout to Sherlock.