Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Hedgey Finance is a token vesting and locking tool. I linked one article but I also like the Rekt News article.

During a campaign creation, the user transfers the locked tokens to a smart contract for usage by the sending contract. When doing this, the contract gives an allowance to a manager contract to spend the funds. If a user cancels the campaign prior to it starting, they are refunded all of the value they put in.

The vulnerability is that the allowance is not revoked when canceling the campaign. So, this leads to a super easy to exploit double spend.

The attacker wanted to maximize the damage that was done. So, they took out a USDC flash laon from balancer to start and then cancel the campaign. In order to avoid bots frontrunning the exploit, they did the steps above in the first transaction then waited a bit. After waiting, they abused the allowance of $1.3M from the cancellation to steal all of the funds. Boom, money stolen!

This had been previously audited but the bug was not found. I had never seen the pattern of a smart contract giving an allowance out to users. Overall, a fairly simple approval bug in a weird context.