defirisk.co
rubric v1.7.0

Hedgey Finance: Unverified User Input — Flash Loan Enabled Approval Manipulation

Hedgey Finance lost $44.7M when an attacker used a Balancer flash loan and an unvalidated `claimLockup` parameter to trick the protocol into granting unauthorized token approvals across Ethereum and Arbitrum simultaneously.

Occurred 2024-04-19 Loss $45M Status closed

Summary #

Hedgey Finance suffered a Token Vesting / Lockup Infrastructure on 2024-04-19, resulting in a loss of approximately $45M.

What happened #

Hedgey Finance lost $44.7M when an attacker used a Balancer flash loan and an unvalidated `claimLockup` parameter to trick the protocol into granting unauthorized token approvals across Ethereum and Arbitrum simultaneously.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — vulnerable `createLockedCampaign()` function deployed after the audit] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — vulnerable `createLockedCampaign()` function deployed after the audit] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (post-audit code addition)]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — post-audit contract version] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — post-audit contract version] || Time between audit end and deploy [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — $1.3M Balancer flash loan used as attack capital]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]
  • RD-F-139 — causal : ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — post-audit contract version]