Holograph protocol sabotaged by disgruntled contractor

Update July 4, 10:30 am UTC: This article has been updated to include comments from Jerry Peng.

An internal investigation revealed that a former disgruntled contractor was responsible for hacking the blockchain tokenization platform Holograph.

On June 13, a hacker exploited the Holograph protocol to mint 1 billion native Holograph (HLG) tokens worth $14.4 million. As a result, the value of HGL tokens dropped by nearly 80% within nine hours of the exploit, from $0.014 to a low of $0.0029.

According to CoinGecko data, HGL attempted an unsustained recovery to $0.0049 before stabilizing at $0.002887 at the time of writing.

Holograph began an internal investigation with blockchain investigation firm Halborn and released a post-mortem of the incident on July 2, highlighting the involvement of “a disgruntled former contractor.” According to Holograph, the former contractor minted $14 million of HLG tokens using a proxy wallet.

Speaking to Cointelegraph, Jerry Peng, a research analyst at Web3 analytics firm 0xScope, revealed how company insiders are in the best position to exploit crypto protocols:

"The complexity of these projects means that insiders with deep technical knowledge are able to exploit vulnerabilities that may not be apparent to others."

The hacker then sold the newly minted HLG tokens to crypto investors in the open market, consequently crashing its price.

The former contractor-turned-hacker meticulously planned the heist months in advance, knowing they had admin access to Holograph Protocol v1 contracts, which was later used as a backdoor.

Holograph intends to involve law enforcement in the investigation. After identifying the cause, Holograph resumed bridging on the v2 protocol and advised all crypto exchanges to allow HLG deposits and withdrawals.

The protocol will implement a burn plan to reduce the maximum supply of the HLG tokens to 10 billion. In response to a community member’s concerns about the inflated circulating supply, Holograph replied:

“Yes, only circulating supply is being burned to return circulating back to original schedule.”

The protocol has not yet shared plans for the lost funds’ recovery and law enforcement proceedings in an upcoming update.

According to Peng, code audits, using multisig wallets with well-distributed signers, adequate background checks on new employees, and diligently removing former employees' access to important assets are some of the best ways to fight insider threats.

Related: Crypto hacks down by 54.2% in June, $176M lost in a month

Holograph implemented a comprehensive resolution, including operational risk controls, to prevent insider attacks.

On June 3, Bittensor was also forced to halt its network activity following a series of wallet drains that stole at least $8 million worth of digital assets.

The network outage aiming to contain the exploit was announced by Bittensor co-founder Ala Shaabana:

“By way of an update, we have contained the attack and put the chain into safe mode (blocks producing but no transactions are permitted). We’re still mid-investigation and are considering all possibilities.”

The unknown address “5FbW” was exploited to obtain 32,000 Bittensor (TAO) tokens worth approximately $8 million at the time of writing.

Magazine: Crypto-Sec: Phishing scammer goes after Hedera users, address poisoner gets $70K