Designed for cross-chain lending, LendHub suffered a loss of about $6 million worth of crypto assets on January 12, 2023, after a hacker exploited a vulnerability in its smart contract. The flaw occurred due to an oversight in removing a deprecated token that had been replaced with a new one.

Root Cause of Orion Protocol Hack

The LendHub hack was a result of a deprecated token not being removed properly during an update. LendHub had introduced a new version of IBSV and its own Comptroller contracts to replace the old version but failed to remove the old token, resulting in both versions being active in the market.

The hacker exploited the differences between the two token contracts by interacting with them separately, taking advantage of the old market's mint and redeem functionality and taking out loans in the new market.

The discrepancies caused by these activities allowed the attacker to drain approximately $6 million worth of the new token's value

Lendhub's Incident Response

Lendhub contacted the SlowMist security team and mainstream exchanges to investigate the incident and claimed to have locked the hacker's attack address. However, the measure was not enough to recover the 1,100 ETH (~$1,562,000) transferred to Tornado Cash.

Lessons learnt

The Lendhub hack could have been avoided if the team had followed standard practices, such as the

• Do Not Repeat Yourself (DRY) code rule - removing deprecated features promptly after successful replacement,

• drawing out clear update processes, and

• auditing the code for vulnerabilities after introducing upgrades or new features to the platform.

Conclusion

The LendHub hack highlights the significance of a well-defined and exhaustive process for updating blockchain smart contracts. Despite the relevant smart contracts being unverified, the attack succeeded due to the presence of two conflicting versions of the same token on the market