Jun 2024 - Holograph Rogue Developer Infinite Minting - $14.4m (Global)
"The Omnichain Token Layer. Asset issuers use Holograph to mint natively composable omnichain tokens."
"Holograph is an omnichain tokenization protocol, enabling asset issuers to mint natively composable omnichain tokens. Holograph has been used to mint millions of onchain assets, making it one of the most widely used protocols for cross-chain asset production and distribution.
Holograph works by burning tokens on the source chain, sending a message via a messaging protocol to the destination chain, and then reminting the same number of tokens to the same contract address. This unifies liquidity, eliminates slippage, and preserves fungibility across blockchains."
"Holograph facilitates use of a single, unique contract address on all EVM blockchains. Using a strictly enforced deployment process, genesis contracts are seeded across chains, allowing for all subsequent contracts to be derived from them. With this approach, contract addresses remain the same no matter where they are deployed, allowing the protocol to support all existing and future EVM chains. For non-EVM chains, the protocol may be adapted to facilitate tokenization in adherence to their respective execution environments."
"On June 13, 2024, Holograph, a blockchain tokenization protocol, encountered a critical smart contract exploit. An unauthorized actor minted 1 billion additional HLG (Holograph) tokens, incurring more than a 60% drop in token value in a duration of ten minutes. The incident had in fact resulted in a severe loss of investor confidence by the time Holograph’s team confirmed it in a statement on X."
"The Omnichain NFT protocol Holograph protocol was exploited, resulting in a loss of approximately $14.4 million. According to the team, a former contractor exploited an infinite mint vulnerability in their smart contract to release an additional 1 billion HLG tokens, which were further dumped. This malicious actor, who had funded the operator contract roughly 26 days before the attack, deployed an unverified contract on Mantle, which was used to mint the additional tokens caused by a function that exploited the protocol's verification method."
"The scam drove Holograph into a financial crisis. Ten minutes after the illegal minting, the market value of HLG tokens fell from about $22 million to less than $10 million, a startling loss of over $12 million. Because the attack raised questions about Holograph’s security protocols, investor trust in the platform was seriously damaged. Worse, the attacker’s quick transfer of a significant amount of HLG tokens to Tether (USDT) further unstabled the HLG market and raised price volatility."
"The malicious actor deployed an unverified contract on Mantle, which was used to mint additional HLG
Using a function that exploited the protocol’s verification method, 1 billion HLG was bridged to Ethereum
The malicious actor sent 1 billion HLG to various exchanges & proceeded to sell the tokens"
"The Holograph Operator contract has been exploited by a malicious actor, enabling the hacker to mint 1 billion additional HLG
The team has patched the initial exploit & is working with exchange partners to lock the malicious accounts
The team has launched an investigation & is in the process of contacting law enforcement"
"The Holograph hack was perpetuated by a former contractor of the protocol. This was initially theorized based on the fact that the attacker’s address was approved to call the project’s mint function and later confirmed by the Holograph team.
The attacker deployed a malicious smart contract on Mantle that called the protocol’s mint function. Since the attacker’s address was trusted by the contract, they were able to bypass the access controls on the mint function and perform a successful mint. The rogue developer performed nine minting transactions to create a total of 1 billion HLG tokens.
After minting 1 billion new HLG tokens, the attacker bridged them to the Ethereum network, where they began dumping them. While approximately 200 million of the minted tokens were frozen by exchanges, the attacker managed to dump some of them. As a result of the inflated supply, the value of the HLG tokens plummeted by about 80% within the first nine hours of the attack."
"Holograph is working with security experts to prevent an exploit like this from happening again
The malicious actor’s exchange accounts have been frozen on Bybit, Gate, KuCoin, Bitget, & Backpack -- as of today, at least 200 million of the 1 billion additional HLG have been frozen
Out of precaution, Bybit, Gate, KuCoin, Bitget, & Backpack have temporarily suspended all HLG deposits & withdrawals"
"A third-party audit of the protocol will be conducted. The team will continue delivering omnichain tokenization infrastructure & applications. More substantive updates will be shared as information is confirmed."
Further Analysis
Holograph is a protocol which assist with the launch of tokens on omnichain. On June 13th, 2024, on of their developers exploited their access to mint 1 billion HLG tokens, which were then sold on the market for various coins. The token price dropped significantly based on the news. The latest update involved the team working on a buyback plan to help restore the protocol.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
nftperp Clearing House Critical Bug > > < < JokInTheBoxETH Unstaking Vulnerability
Sources/Further Reading
SlowMist Hacked - SlowMist Zone (Dec 31)
x.com (Dec 31)
Holograph Hack: Where 1 Billion Tokens Went - Blockchain Intelligence Group (Dec 31)
@holographxyz Twitter (Dec 31)
Welcome | Holograph Docs (Dec 31)
Overview | Holograph Docs (Dec 31)
Complete Guide To Holograph Multichain Deployment Airdrops And Nft Bridging (Dec 31)
Yahoo is part of the Yahoo family of brands (Dec 31)
Explained: The Holograph Hack (June 2024) (Dec 31)
Insider Accused Of Perpetrating Holograph Exploit, Tanking HLG By 50% - The Defiant (Dec 31)
Ethereum Transactions Information | Etherscan
(Dec 31)
https://cointelegraph.com/news/holograph-hacked-for-1-billion-hlg-tokens-worth-14-million (Dec 31)
@holographxyz Twitter (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|