Hedera (Network-level — Hashgraph Smart Contract Service): Smart Contract Service (HTS) Code Bug — Uniswap V2 Port Exploit
A bug in Hedera's Smart Contract Service — specifically in Uniswap V2 code ported to Hedera Token Service — allowed an attacker to drain LP positions across multiple DEXs, triggering a chain-wide shutdown and $12M ecosystem TVL exodus from just ~$515K actually stolen.
Summary #
Hedera (Network-level — Hashgraph Smart Contract Service) suffered a DEX / AMM (Pangolin Hedera, HeliSwap — network-level exploit) on 2023-03-09, resulting in a loss of approximately $515K.
What happened #
A bug in Hedera's Smart Contract Service — specifically in Uniswap V2 code ported to Hedera Token Service — allowed an attacker to drain LP positions across multiple DEXs, triggering a chain-wide shutdown and $12M ecosystem TVL exodus from just ~$515K actually stolen.
Linked factors #
- RD-F-002 — related : Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~2 years (2021 audit; exploit 2023)]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: The Uniswap V2 ports to HTS were relatively new]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-098 — illustrative : TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early (Y/N): Y — post-attack panic caused $12M TVL exit, not pre-exploit signal] || Low detectability — RT signals would NOT have caught (negative-evidence) [via realtime_signals/Detectability: Low]