Sentiment, an undercollateralized lending protocol, appears to have been exploited on April 4 for over $500,000 in crypto. Ethereum blockchain data shows a transaction that transferred 536,738.410031 USD Coin (USDC) from the Synapse Bridge, and this links up with a series of Arbitrum transactions draining coins from Sentiment.

The wallet performing the attack has been labeled “Sentimentxyz Exploiter” by Arbiscan, and the Sentiment team has announced on Twitter that they are aware of a “potential issue” with the protocol.

Twitter user Officer’s Notes has suggested that this may be a reentrancy attack. The user relied on research done by Twitter user FrankResearcher to come to this conclusion.

The Sentiment team has not yet stated what steps are being performed to stop the attack or what users should do to mitigate risk.

Further investigation reveals that the attacker may have stolen the protocol’s deployer key. The attacker began by deploying a contract to the Arbitrum network at the following address: 0xa4d063b9468b93aee2a87ec7072c3dabd5ee5968.

They then called the “run” function on this contract a minute later. However, this function-call failed, producing a “Fail with error ‘BAL#420” response. The attacker responded by calling the “self-destruct” function on the contract, which succeeded. This erased all of the contract’s code from the blockchain.

After destroying this contract, the attacker redeployed at the following address: 0x9f626F5941FAfe0A5b839907d77fbBD5d0deA9D0.

They then called the “run” function once again. This time, it succeeded, causing the contract to perform several transactions. One of these transactions changed the admin for a BeaconProxy contract located at address 0xdf346f8d160424c79cb8e8b49b13dd0ca61c3b8c.

Admin for the BeaconProxy being changed. Source: Arbitrum blockchain data

And another transaction upgraded the contract:

BeaconProxy being upgraded. Source: Arbitrum blockchain data

This implies that the attack may have been the result of a stolen deployer key.

After the contract was upgraded, the malicious smart contract approved the attacker to transfer various tokens, resulting in the loss of funds to the protocol. These funds were then swapped and moved through the Synapse bridge to the Ethereum network.

Once these transactions were completed, the attacker once again destroyed the contract code.

The smart contract used in the attack, after being self-destructed. Source: Arbitrum blockchain data