Hedera Exploit Funds Moved to Ethereum: $570K Stolen via Smart Contract Bug
Hackers successfully transferred approximately $570,000 of stolen Hedera Token Service (HTS) tokens from the Hedera blockchain to Ethereum following an exploit of the network’s Smart Contract Service code on March 9, 2024 [1][9]. The attacker targeted liquidity pools on decentralized exchanges (DEXs) including Pangolin, SaucerSwap, and HeliSwap, exploiting a vulnerability in the pre-compiled contract code that allowed illicit authorization to withdraw tokens [1][3]. Funds were subsequently bridged via Hashport to an Ethereum address, highlighting persistent cross-chain bridge liquidity risks that remain underpriced by market participants despite the incident [4][6].
Overview: Key Metrics at a Glance
- Stolen Amount: Approximately $570,000 confirmed stolen across multiple DEX accounts [9].
- Targeted Protocols: Pangolin, SaucerSwap, and HeliSwap liquidity pools were the primary victims [1].
- Vulnerability Type: Bug in Smart Contract Service pre-compiled code allowing unauthorized token transfers [3].
- Bridge Pathway: Funds moved via Hashport to an Ethereum address, then split across Atomic Wallet and Binance [4].
- TVL Impact: Hedera’s Total Value Locked (TVL) dropped 16% to $24.59 million within 24 hours [2].
- User Risk Scope: No retail user wallets or native HBAR tokens were compromised; only DEX liquidity pools were affected [3].
Subscribe to our Social Media for Exclusive Crypto News and Insights 24/7!
Attack Mechanics and Cross-Chain Movement
The exploit originated in the Hedera Smart Contract Service, a computing layer designed to run Ethereum-compatible applications on the Hedera mainnet [1]. The attacker created a new account on March 7 to establish a base of operations, funding it with roughly 2,000 HBAR from Binance before executing the attack two days later [8]. By exploiting the pre-compiled contract code, the attacker granted themselves authorization to withdraw tokens from specific DEX liquidity pools, effectively draining the liquidity without triggering standard security alarms [8].
Following the theft, the attacker moved the stolen assets across chains. Data intelligence firm Arkham and other on-chain trackers observed the funds transferred via Hashport, Hedera’s official cross-chain bridge, to an Ethereum address [4]. The attacker further fragmented the holdings, moving some funds through the Atomic Wallet in-app exchange and others via Binance to a secondary Ethereum address [4]. This multi-step laundering process underscores the difficulty in tracing and recovering assets once they cross bridge boundaries, a critical vulnerability in the current DeFi infrastructure.
Market Impact and Bridge Liquidity Risks
The immediate market reaction to the exploit was severe, reflecting heightened concern over cross-chain security. Hedera’s native token, HBAR, fell more than 7% to trade at $0.057 as confidence waned [2]. Simultaneously, the ecosystem’s Total Value Locked (TVL) plummeted by over 16% in a single day, dropping to $24.59 million according to DefiLlama data [2]. This rapid outflow of capital suggests that investors are quickly reassessing the risk premium associated with cross-chain bridges, particularly those relying on wrapped or ported contract code.
Analysts note that the cross-chain bridge liquidity risks exposed by this incident are likely underpriced in current market valuations [4]. The attack demonstrated that even audited protocols, such as the Hedera Token Service (audited by FP Complete in 2021), can harbor critical vulnerabilities in their pre-compiled layers [6]. The fact that the attacker successfully bridged funds to Ethereum within an hour of the initial notification indicates that bridge security mechanisms may lag behind exploit speeds, creating a dangerous window for asset theft [3].
| Metric | Pre-Exploit Value | Post-Exploit Value | Change |
|---|---|---|---|
| HBAR Price | ~$0.061 | $0.057 | -7% [2] |
| TVL (Hedera) | ~$29.3M | $24.59M | -16% [2] |
| Stolen Funds | $0 | ~$570,000 | New Loss [9] |
| Affected DEXs | 0 | 3 (Pangolin, SaucerSwap, HeliSwap) | Critical [1] |
Remediation and Recovery Efforts
Hedera’s core team responded swiftly by temporarily disabling mainnet proxies, effectively removing user access to the mainnet to prevent further theft [1]. The team identified the root cause of the vulnerability and is working on a patch that will require sign-off from Hedera Council members to deploy updated code on the mainnet [1]. While the network remains paused, DEX teams including Pangolin have announced that all exploited funds have been replenished, ensuring that no retail users suffered losses from the affected pools [5].
The attacker, identified by the account ID 0.0.2015717, is a prolific scammer with a history of draining wallets via fake HBAR airdrop microtransactions dating back to November 2022 [4]. This individual previously drained over 600,000 HBAR from at least 24 victims between late 2022 and early 2023 [4]. The current exploit appears to be part of a broader pattern of targeting liquidity pools using ported Uniswap v2-derived code, a tactic that has proven effective against multiple DEXs in the ecosystem [3].
Forward-Looking Risks and Structural Implications
Despite the successful replenishment of funds by Pangolin, the incident leaves a lingering structural risk for the DeFi market. The speed at which funds were bridged to Ethereum suggests that cross-chain bridge liquidity risks remain a critical, underpriced factor in protocol security assessments [4]. Investors and protocol developers must now account for the possibility that a vulnerability in a smart contract service layer could be exploited to drain liquidity and immediately move assets across chains, bypassing local recovery mechanisms.
Regulatory and enforcement bodies may face challenges in tracking these funds once they enter the Ethereum ecosystem, particularly when split across multiple addresses and exchanges [4]. The incident reinforces the need for more rigorous auditing of pre-compiled contract code and faster bridge deactivation protocols. While the immediate financial damage was contained to approximately $570,000, the reputational damage and the rapid TVL contraction signal a potential shift in investor behavior toward more conservative cross-chain strategies [2][9].
Source List
- https://www.theblock.co/post/218714/hedera-confirms-hackers-stole-tokens-from-dexs-exploiting-a-bug-in-smart-contract-service
- https://bingx.com/en/news/22746
- https://hedera.com/blog/analysis-remediation-of-the-precompile-attack-on-the-hedera-network/
- https://medium.com/@hederadev/hederas-march-9-exploiter-a-prolific-scammer-in-the-hedera-ecosystem-184c48a78ddf
- https://www.reddit.com/r/Hedera/comments/11oub5u/pangolin_replenishing_lost_funds/
- https://rekt.news/hedera-rekt
- https://www.youtube.com/watch?v=hmjYzBQavZ8
- https://www.youtube.com/watch?v=Tdur6oCT1Oc
- https://www.tradingview.com/news/u_today:5cc59aa07094b:0-scam-alert-here-s-what-we-know-about-hedera-exploit/









