WE GOT BENT! (How we got exploited and recovered stronger)
Well it happened.,, and it puts us in the good company of ETH, YFI and other legends who had to grow through early hacks/exploits to get to where they are.
First off we would like to apologize to those affected and thank you for bearing with us. We have been heads down trying to solve this in a good way.
In this article we will be covering how we got exploited, how we recovered and the path forward in conclusion.
What happened was that a few days ago BENT went live on debank and in that, community members were able to see the amount of “deposits” of various tokens. This showed one wallet with a balance of over half a billion dollars of CVXCRV and nearly the same MIM. This balance wasn’t real, but it “fooled” the contract that effectively allowed them to withdraw other peoples tokens until the pool was drained.
It was a little strange how it happened, especially because we found out that the exploit was installed 20 days previous and they were not actively withdrawing.
Having no idea what was going on, we contacted the two best white hat hackers we could find, one was Samczsun and the other is a deep anon who is only known via referral. They got in a war room with us and came to the conclusion that this was in fact an inside job.
Here we go…
We had originally deployed the contracts as “verified” and those are what had been audited. In the process of burning the proxy and tightening security (kek) “someone” had slipped an unverified contract update in before updating to the next verified contract. This update hardcoded half a billion dollars in deposits they didn’t actually own, allowing them in the future to drain the pools whenever they liked.
Was it the “team” — how did it happen? Well, the BENT Team consists of numerous full time core team members including swisshed, ape, santonicle and conrad plus a few others in support roles. Also the CTO had employed a “dev” on various projects for some time. This dev had worked with him for sometime in a support role. Well, as it happens, sir dev was shared the private keys to the deployer, in order to do the updates and during this time, dev slipped in the exploit.
What happened next was a few days of “interesting things” but we can say that the exploiter agreed to return the funds to the multisig at 0xaBb8B277F49de499b902A1E09A2aCA727595b544.
Now since he dumped the curve at the bottom and it has been pumped since, and sent us ETH and DAI, we came a little short, but have worked it out.To date, we have raised an additional 200,000 cvxcrv ~ ($1M) from the community to help plug the gap. Also you can see what we did to patch access so nothing like this can happen again here.
You can see owed addresses here:
You can see the reimbursement of lost funds for 513,005.63672632400 cvxcrv-f paid in full here:
If you believe you are owed and are not on this list, please get in touch with swishedd with PROOF (please don’t waste our time skemmers).
Now moving forward we have quite a lot of good things happening including the upcoming vlCVX vote for bent stakers and restarting of pools which we will cover in an article releasing very soon.