DeFi Protocol Tender.fi Hacker Returns $1.6M Following Chainlink Oracle Glitch
A white hat hacker that targeted DeFi protocol Tender.fi has returned $1.6 million that was stolen on Tuesday, receiving a 62.15 ether ($85,000) bug bounty instead.
The attack occurred after Tender.fi upgraded its price feed to relay data from a Chainlink pricing oracle as opposed to a time-weighted average price (TWAP). The code, which was audited by PeckShield, contained an error and returned a number with too many zeros behind it. This meant the attacker was able to deposit one GMX token, worth around $70, effectively tricking the system into allowing infinite borrows, according to a postmortem published on Tender.fi’s Medium page.
After extracting $1.6 million from the protocol, the hacker left an on-chain message: «It looks like your oracle was misconfigured. Contact me to sort this out.»
Tender.fi reached out and agreed to pay the white hat hacker a 62.15 ether bug bounty.
The protocol plans to deploy a new rewritten oracle contract before unpausing borrowing. It has also vowed to repay any unpaid debt left behind by the hacker.
The TND token, which plunged by 34% on Tuesday, is trading at $1.87. It has increased by 2.37% in the past 24-hours against its ethereum pair but remains down by 7.62% against its U.S.dollar pair following a crypto market rout.