-
An Ethereum DeFi project has lost a substantial sum to a bad actor before it could even get its feet off the ground.
-
Security analysis revealed that the project was compromised from the get-go.
-
Security experts see the recent exploit as a cautionary tale to other projects.
For all decentralized finance’s promise to democratize access to financial services, dabbling in the space can often feel like adventuring through the Wild West as it continues to be plagued by security issues, often with no recourse for users.
The latest instance highlighting this is the hack of an up-and-coming DeFi project on the Ethereum network.
Don’t Miss:
The ROAR, a fledgling Ethereum-based DeFi ecosystem project, has lost nearly $800,000 in a bewildering exploit.
On April 16, Web3 security auditor Hacken reported that a staking contract tied to the project had been drained of 100 million 1ROR tokens worth $785,000. Hacken highlighted that the attack was not an exploitation of a flaw in the code but a backdoor.
“A developer embedded a backdoor in the staking contract by presetting their wallet’s user.amount (staked amount) directly in the constructor. So from the moment the contract was deployed, they had withdrawal rights without ever actually staking,” Hacken on-chain researcher Yehor Rudytsia told Benzinga in a statement.
Trending: BlackRock is calling 2025 the year of alternative assets. One firm from NYC has quietly built a group of 60,000+ investors who have all joined in on an alt asset class previously exclusive to billionaires like Bezos and Gates.
After deploying the code, all the developer had to do was wait 17 days for the token to be listed and enough liquidity to be injected into the contract to cash out. Then, they quickly dumped the token for ETH and funneled the loot through popular crypto mixer Tornado Cash to cover their tracks.
“No complex exploit, just malicious logic planted at deployment and timed to hit after launch hype and listing,” Rudytsia said.
The ROAR confirmed Hacken’s report, asserting that the exploit was carried out by a contracted developer. Still, the project maintained that the developer was not part of its core team. The team added that the rogue developer has been removed from the project and all their access revoked.
In a community call later, The ROAR asserted that it was gathering evidence to pursue legal action against the rogue developer, adding that it had scrubbed the project of their code contributions.
