The HBAR Foundation, the organization behind the decentralized proof-of-stake ledger Hedera blockchain, has suspended network services after disclosing that “network irregularities” affect a number of Hedera decentralized applications (dApps) and their users.
Hedera claimed that the hacker specifically targeted liquidity pool tokens on decentralized exchanges (DEXs), whose code was moved over to use on the Hedera Token Service from Uniswap v2 on Ethereum.
To protect the users of these decentralized platforms, Hedera stated that it would disable network proxies on its mainnet while it investigated issues in its smart contracts. Wallets, decentralized exchanges, decentralized apps, and exchanges won’t function as a result of this action for the time being.
The attacker targeted accounts used as liquidity pools on multiple DEXs that use Uniswap v2-derived contract code ported over to use the Hedera Token Service, including @Pangolin_Hedera, @SaucerSwapLabs, and @HeliSwap_DEX. (2/6)
— Hedera (@hedera) March 10, 2023
Meanwhile, the project reported that its mainnet remains functional and is reaching consensus on new blocks. The majority of users are also currently unable to access the network, but after the problem is fixed, the project says it will enable access and proxies again.
The HBAR foundation also maintained that it was already in communication with its partners who were impacted.
Several Hedera-based decentralized platforms are affected
SaucerSwap Labs, a decentralized exchange on the Hedera blockchain network, also confirmed the exploit on Twitter, informing its 18k followers that the “decompiling process in smart contracts” was the target of the attacker.
🚨An ongoing exploit have hit the Hedera network this morning. The exploit is targeting the decompiling process in smart contracts. At time of writing attackers have hit Pangolin and HeliSwap pools containing wrapped assets. We are unsure if other HTS tokens are at risk too.
— SaucerSwap Labs 🧪 (@SaucerSwapLabs) March 9, 2023
The decentralized exchange stated that it was “actively” looking into the issue and that it was in contact with the other DEXs on the Hedera network to discuss possible solutions.
“There have been no reports of SaucerSwap users getting funds stolen yet, but as a precaution, we would encourage everyone to withdraw liquidity immediately — safety first,” the DEX urged its users.
The Bridge Project Hashport, however, said that it had temporarily halted offering its services due to ongoing problems with smart contracts. Pangolin, another decentralized exchange in the Hedera ecosystem, was yet another project that urged users to remove liquidity from the network.
Due to some Hedera network irregularities, Hashport has paused their bridge, and we'd encourage anyone with HTS tokens in Pangolin Pools and Farms to withdraw immediately.
This is a time critical moment, so we'll update as soon as we have more information
— Pangolin Hedera (@Pangolin_Hedera) March 9, 2023
HashPack, a decentralized wallet on the network, also verified awareness of an active exploit with various Hedera DeFi projects.
HashPack Wallet reports that while the problem is still developing, it is likely related to smart contracts, wrapped or bridged assets, and possibly liquidity pools on DEXs.
Hedera’s native token, HBAR, is down 5.37% over the course of a day on March 10, despite the fact that this seems to be the first confirmed network exploit since Hedera’s inception in July 2017. Yet, it has outperformed Ethereum (ETH) and Bitcoin (BTC), which have declined 8.18% and 8.65%, respectively, over the last day.
