The creators of the distributed ledger Hedera Hashgraph have acknowledged a smart contract vulnerability on the Hedera Mainnet that resulted in the loss of a number of liquidity pool coins.
Hedera said that the hacker specifically targeted liquidity pool tokens on decentralized exchanges (DEXs) whose code was copied over from Ethereum's Uniswap v2 for usage on the Hedera Token Service.
The attacker tried to transport the stolen tokens, which included liquidity pool tokens on SaucerSwap, Pangolin, and HeliSwap, through the Hashport bridge the Hedera team indicated that the suspicious behavior was discovered. Operators quickly stopped the bridge momentarily.
The quantity of tokens that were taken was not confirmed by Hedera.
Hedera updated the network on February 3 to enable the Hedera Token Service (HTS) to accept smart contract code compatible with the Ethereum Virtual Machine (EVM).
Hedera-based DEX SaucerSwap thinks the attack vector originated from the decompiling of Ethereum contract bytecode to the HTS, which is a step in this process. Hedera did not explicitly state this in its most recent statement.
On March 9, Hedera disabled network access by disabling IP proxies. The group claimed to have located the exploit's "root cause" and to be "working on a remedy."