Whitehat hacker finds a $10M Ethereum vulnerability and reports it

An ethical hacker has saved an Ethereum smart contract from losing close to $10 million in tokens. The hacker who goes by the name Samczsun helped to close a vulnerability on an Ethereum based DeFi lending platform Lien Finance.

Bug in Lien Finance

Samczsun posted details about the incident on his blog and revealed how he was able to fix the bug with the help of ConsenSys. The hacker noticed the vulnerability on September 15 when he took a routine look at some of the smart contracts that belonged to Lien Finance.

He noticed that there was a bug within the smart contract with a loophole that contained about 25,000 ETH, which at the time was worth around $9.5 million. Samczsun could easily have taken advantage of this and could drain the contract, but sought the developers of Lien Finance to rectify the bug.  

I discovered that it would be trivial for anyone to mint tokens to themselves for free, but then burn them in exchange for all of the Ethereum in the contract. My heart jumped. Suddenly, things had become serious. He said

After highlighting the bug, the hacker spoke to an Ethereum expert who presented two options, the first was to exploit the issue themselves and risk losing the ETH or asking Lien to go public and have users withdraw funds which would have caused a major distrust from its community.

He further communicated with ConsenSys security team which initially audited Lend Finance code and it was decided that they would execute the vulnerability and run the ETH through a friendly mining pool.

Sparkpool was enlisted by Samczsun to execute the hack on the $10 million Ethereum wallet. This was performed hitch-free and the Ethereum token was passed through Sparkpool and into the Lien wallet after which Lien developers patched the code.

This latest tale is one of the dangers that exist in the Ethereum DeFi sector. It could easily have been disastrous if the vulnerability has been discovered by another hacker.