Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 198Smart Contract Bug

Holograph Operator Mint

A flaw in Holograph's operator contract let an attacker mint 1 billion HLG tokens, worth $14.4M nominal at first mint. HLG dropped 80% within nine hours.

Date
Victim
Holograph
Chain(s)
Ethereum
Status
Funds Stolen

On June 13, 2024 at 09:47 UTC, an unidentified attacker began minting 1 billion HLG tokens by exploiting a vulnerability in Holograph's Operator smart contract. The mint happened across nine sequential transactions; the freshly minted HLG was worth roughly $14.4 million at the moment of the first mint. Within nine hours of the exploit becoming visible, the HLG token had fallen ~80% as the market priced in the dilution.

What happened

Holograph was a multi-chain tokenization platform. Its Operator contract handled minting operations across deployments — a privileged surface that should have been gated behind strict access control.

The exact technical vector was never fully detailed in the team's incident disclosures, but the on-chain pattern was straightforward: the attacker discovered a path through which the Operator contract would mint HLG tokens to an attacker-specified destination without proper authorisation. The attacker exercised that path nine times, minting 1 billion HLG total to addresses they controlled.

Roughly four hours after the initial exploit, the attacker began swapping the minted HLG into USDT through DEX aggregators. Approximately $1.3M in USDT was successfully cashed out before liquidity dried up; the proceeds were further swapped into ~300 ETH and distributed across four addresses for laundering.

Aftermath

  • HLG fell from ~$0.0149 to ~$0.00296 intraday (an 80% drop), recovering partially to ~$0.00646 within 24 hours as the team confirmed remediation.
  • Holograph patched the Operator contract and worked with major exchanges to freeze affected accounts that had received minted HLG.
  • The team launched a compensation and refund program for affected users — though the dilution-driven price collapse meant that even reimbursed users absorbed real losses on their pre-incident holdings.

Why it matters

Holograph follows the pattern of the mint-then-dump attack that recurs whenever a protocol exposes any path to its own native token's supply without sufficient access control:

  • PlayDapp (Feb 2024) — stolen admin key minted 1.79B PLA
  • Gala Games (May 2024) — dormant MINTER role minted 5B GALA
  • Holograph (June 2024) — operator-contract vulnerability minted 1B HLG

The defensive answer is consistent: separate the token contract from any operational contract, gate all mint authority behind multi-sig with timelocks, and treat any address with mint() capability as a privileged identity worth aggressive monitoring. Holograph's incident, three months after PlayDapp and one month after Gala, suggested the lesson was still being learned in real time.

Sources & on-chain evidence

  1. [01]coinspeaker.comhttps://www.coinspeaker.com/holograph-plummets-hacker-1b-hlg/
  2. [02]news.bitcoin.comhttps://news.bitcoin.com/holograph-compromised-hlg-value-plummets-as-hacker-illegally-mints-1-billion-tokens/
  3. [03]bleepingcomputer.comhttps://www.bleepingcomputer.com/news/legal/hackers-linked-to-14m-holograph-crypto-heist-arrested-in-italy/

Related filings