Voltage Finance Hacker Moves $182K in ETH to Tornado Cash After 2022 Exploit

Posted on by Bruno

Voltage Finance Hacker Moves $182K in ETH to Tornado Cash After 2022 Exploit

In a recent development, a hacker responsible for the $4.67 million exploit of the decentralized finance (DeFi) lending protocol, Voltage Finance, in March 2022, has moved 100 Ether (ETH), worth around $182,783, to the privacy mixer Tornado Cash. This move occurred after a period of inactivity, raising concerns about the potential use of these funds.

Blockchain security firm CertiK reported the transaction, noting that the ETH was moved from an address linked to the original exploit. The initial exploit involved a reentrancy attack, exploiting a vulnerability in the ERC677 token standard, which allowed the hacker to drain funds from Voltage Finance’s lending pool.

Cybercrime, Cybersecurity, Hacks, Data. Source: CertiK

Details of the 2022 Voltage Finance Exploit

The March 2022 exploit targeted Voltage Finance’s lending pools, resulting in the theft of approximately $4.67 million in various cryptocurrencies, including USDC, Binance USD (BUSD), wrapped Bitcoin (WBTC), and Ethereum tokens. The attacker exploited a “built-in callback function” within the ERC677 token standard, initiating a reentrancy attack. This allowed them to repeatedly withdraw funds before the initial transaction was fully processed, effectively draining the platform’s liquidity.

Following the attack, Voltage Finance took steps to mitigate the damage, including flagging the attacker’s address on Etherscan and requesting exchanges to block any transactions associated with it. They also attempted to contact the hacker to negotiate a bounty for the return of the stolen funds. The recent movement of ETH to Tornado Cash suggests that these efforts were unsuccessful.

The Role of Tornado Cash

Tornado Cash is a decentralized, non-custodial privacy solution that allows users to obfuscate their transactions by mixing their cryptocurrency with other users’ funds. This makes it difficult to trace the origin and destination of the funds, providing a level of anonymity. While Tornado Cash has legitimate uses, it has also been used by malicious actors to launder illicit funds.

Voltage Finance Hit by Another Exploit in March 2024

Adding to the woes, Voltage Finance faced another security breach in March 2024. The Simple Staking pools were compromised, resulting in a loss of $322,000. Following this incident, Voltage Finance offered the attacker a $50,000 bounty to return the stolen funds and initiated investigations into the possible involvement of a developer who previously worked on the staking pools. They revoked the developer’s access and filed police reports.

Crypto Losses and Recoveries: A Broader Perspective

The incidents involving Voltage Finance are part of a larger trend of increasing cryptocurrency hacks and exploits. According to recent reports, crypto losses spiked significantly in April, driven primarily by a large-scale social engineering attack targeting an elderly US individual, resulting in the theft of $330.7 million in Bitcoin.

However, April also saw instances of stolen funds being recovered. For example, the hacker behind the $7.5 million exploit of decentralized exchange KiloEx returned all the stolen funds. Additionally, the ZKsync Association recovered $5 million worth of stolen tokens following a security incident involving its airdrop distribution contract.

Key Takeaways

  • Voltage Finance was exploited in March 2022, resulting in a loss of $4.67 million.
  • A hacker has moved 100 ETH from the exploit to Tornado Cash.
  • Voltage Finance was also hit by another exploit in March 2024, losing $322,000.
  • Overall crypto losses spiked in April, but there were also instances of funds being recovered.
  • The use of Tornado Cash highlights the challenges of tracing and recovering stolen cryptocurrency.

Mitigating DeFi Risks

The ongoing threat of hacks and exploits in the DeFi space underscores the importance of robust security measures and proactive risk management. Users and developers should prioritize the following:

  • Smart Contract Audits: Thoroughly audit smart contracts to identify and address potential vulnerabilities before deployment.
  • Security Best Practices: Follow industry-standard security best practices, including proper input validation, access controls, and error handling.
  • Insurance: Consider purchasing insurance to protect against potential losses from hacks and exploits.
  • Staying Informed: Keep abreast of the latest security threats and vulnerabilities in the DeFi space.

As the DeFi ecosystem continues to evolve, collaboration between developers, security experts, and the community will be crucial in mitigating risks and ensuring the safety of user funds.

Related Posts