Holograph Hack: Where 1 Billion Tokens Went
On June 13, 2024, Holograph, a blockchain tokenization protocol, encountered a critical smart contract exploit. An unauthorized actor minted 1 billion additional HLG (Holograph) tokens, incurring more than a 60% drop in token value in a duration of ten minutes. The incident had in fact resulted in a severe loss of investor confidence by the time Holograph’s team confirmed it in a statement on X.
The Holograph protocol allows the use of a single contract address across all EVM blockchains, enabling consistent tokenization, interoperability, and the transferring of assets cross-chain.
The Exploit: How It Happened
Timeline of Events
At 09:45 AM UTC: The exploiter executes the initial exploit transaction, minting a large quantity of unauthorized HLG tokens. At 10:00 AM UTC: The HLG token price begins a sharp decline as investors become aware of the exploit.
Throughout the day, the Holograph team identifies the exploit, patches the vulnerability, and collaborates with exchanges to freeze the attacker’s accounts.
Fund Movements and QLUE analysis
Our examination of blockchain data using QLUE reveals the precise flow of funds during the exploit. The attacker quickly converted part of the stolen tokens for USDT using popular cryptocurrency exchanges and later converted the USDT to Ethereum.
Following the USDT conversion, the exploiter has acquired 373.27 ETH. They sent 100 ETH to each of three new addresses, for a total of 300 ETH. 25.6 ETH was transmitted to a different address, after which 1 Ethereum went to Tornado Cash and the other 23.96 ETH reached Railgun.
This exploiter left 0.5 ETH unspent in the last proceeds address and an approximate total of 47.6 ETH unspent in the initial consolidation address.
Below are the QLUE graphs that illustrate these transactions and the subsequent movement of funds.
- QLUE Graph 1: Initial exploit transactions and the rapid minting of HLG tokens.
- QLUE Graph 2: Conversion of HLG to USDT and subsequent fund transfers.
- QLUE Graph 3: Movement of stolen funds between addresses belonging to the exploiter
Damage to Holograph Protocol
The scam drove Holograph into a financial crisis. Ten minutes after the illegal minting, the market value of HLG tokens fell from about $22 million to less than $10 million, a startling loss of over $12 million. Because the attack raised questions about Holograph’s security protocols, investor trust in the platform was seriously damaged. Worse, the attacker’s quick transfer of a significant amount of HLG tokens to Tether (USDT) further unstabled the HLG market and raised price volatility.
Holograph’s Response
In response to the incident, Holograph moved quickly in a number of directions. The group claimed to have found and fixed the smart contract’s vulnerability. They next worked with cryptocurrency exchanges to freeze the accounts connected to the attacker’s wallet, in an attempt to stop their capacity to influence the market. Holograph started a thorough investigation involving law enforcement in order to find the exploiters.
Lastly, in an effort to regain the confidence of its consumers, Holograph disclosed a compensation plan designed to lessen the financial damages incurred by individuals impacted by the exploit.
Persisting Defi Risks
Holograph exploit only sets a reminder of a rising trend: Attacks on DeFi are a major and ongoing threat. DEX Velocore experienced a security breach on June 2nd, 2024, resulting in financial losses approximating $6.8 million in ETH. UwU Lend, an Ethereum-based lending and liquidity protocol, experienced two exploits in the past week. On June 13, UwU Lend was hacked, resulting in a loss of $3.72 million.
Whether such malicious operations are facilitated by insider jobs or a result of weak security measures by the service providers, law enforcement are expected to up their game to combat this malice.
Here’s when QLUE becomes an indispensable tool for law enforcement:
Investigators are able to trace and analyze bitcoin transactions with the help of QLUE, a robust tool for blockchain analytics investigations. Regarding DeFi exploits such as these, QLUE can play a crucial role in:
- Finding the source and destination of stolen money: QLUE can assist in tracking the transit of stolen money between wallets and exchanges by displaying its flow.
- Expediting case closure: Investigative timeframes can be shortened by using QLUE’s sophisticated analytics to go through large volumes of data and find critical leads before criminals make more moves.
- Developing a stronger case: QLUE can provide investigators the proof they require to gather evidence and build a case to retrieve money that has been pilfered.
Book a free demo and start using QLUE in cryptocurrency investigation.
Written By: Omar Marzouk
Writer, Content marketing at Blockchain Intelligence Group