Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 188Smart Contract Bug

Hedgey Finance Approval Bug

Hedgey Finance vesting lost $44.7M when missing parameter validation let the attacker craft campaigns whose claimLockup callback approved arbitrary transfers.

Date
Victim
Hedgey Finance
Chain(s)
EthereumArbitrum
Status
Funds Stolen

On April 19, 2024, the DeFi vesting and token-distribution protocol Hedgey Finance suffered dual exploits across Arbitrum (~$42.6M) and Ethereum (~$2.1M) for a combined $44.7M loss. The bug was a missing parameter check on a single contract function.

What happened

Hedgey provided vesting and claim campaigns — projects could lock tokens in Hedgey contracts and let recipients claim their share according to vesting schedules. The contract function createLockedCampaign was responsible for setting up new campaigns and accepted several parameters describing the campaign's lockup terms.

The function validated most of those parameters — but not the claimLockup configuration, which determined which token transfers and approvals were attached to each claim. By submitting a createLockedCampaign call with a malicious claimLockup, the attacker could make the contract issue approvals on the victim's tokens to an address of the attacker's choice.

A flash loan funded the temporary capital needed to set up the malicious campaign and trigger the approval pattern. Once the approvals existed on-chain, the attacker called transferFrom and drained tokens — USDC, NOBL, MASA, BONUS — from accounts whose owners had ever interacted with the Hedgey contracts.

Aftermath

  • Hedgey paused affected contracts and sent an on-chain message to the attacker requesting a return of funds and offering white-hat treatment.
  • The team migrated to a redesigned campaign contract with explicit validation on every parameter.
  • The attacker did not respond to the bounty offer; funds were laundered.

Why it matters

Hedgey reinforced the unglamorous truth that every input parameter is part of the trust boundary — particularly in protocols that take callback configuration from users. A single unchecked field on a privileged setter function is enough to compromise an entire protocol; the defensive answer is deny-by-default parameter allowlists, formal verification of complete-parameter coverage, and contract-level invariants that cannot be violated by any combination of inputs.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-hedgey-finance-hack-april-2024
  2. [02]crypto.newshttps://crypto.news/hedgey-finance-hacked-for-44-7m-on-arbitrum-ethereum/
  3. [03]blockbasis.comhttps://blockbasis.com/p/unveiling-vulnerabilities-hedgey-finances-447-million-breach-sparks-urgent-security-reevaluation-def

Related filings