The Tender.fi DeFi protocol has been fully restored, thanks to the ethical hacker who returned the $1.6 million taken from the platform in a recent exploit. The hacker, who acted as a white hat, identified a flaw in Tender.fi’s pricing oracle, which enabled them to borrow a substantial sum with a relatively small deposit. Thanks to the hacker’s intervention, Tender.fi has been able to address the vulnerability and ensure the security of its platform for its users.
As per the post-mortem report released by Tender.fi today, it was revealed that the DeFi lending protocol had implemented an upgrade to Chainlink’s price oracle on March 6, just a day before the unfortunate exploit. The new price feed sourced the value of the GMX token from Chainlink instead of relying on a time-weighted average price (TWAP). The updated code underwent a thorough audit by the esteemed blockchain intelligence firm, PeckShield. These measures were taken to ensure the utmost professionalism and security of the platform.
Unfortunately, the Chainlink price oracle experienced a technical malfunction, resulting in a vulnerability that allowed a hacker to deposit a single GMX token valued at approximately $70 and borrow an astonishing $1.6 million against it. The issue stemmed from a decimal error within the Solidity contract, causing the contract to mistakenly perceive the 1 GMX collateral as having more excellent value on Tender.fi than the entirety of Bitcoin in circulation.
After borrowing a substantial amount, the white hat left an on-chain message for the protocol, highlighting a potential misconfiguration in their oracle. The Tender.fi team promptly contacted the hacker via DeBank and successfully negotiated the loan repayment. In exchange for their efforts, the white hat was rewarded with a bounty of 62.15 ETH, valued at almost $100,000 at the time. This professional approach to resolving the issue showcases the importance of collaboration and communication in the blockchain.
The DeFi lending protocol has taken to the Twitterverse to announce the resumption of all borrowing services to its esteemed community. Tender.fi temporarily suspended the borrowing feature in response to the exploit on March 7.