- Hector Network appears to have suffered another costly security breach.
- Over $2.7 million has been withdrawn from funds meant to settle aggrieved investors.
- Hector Network is one of many failed DeFi projects that devolved into a so-called rage-quit settlement last year.
Hector Network’s long-suffering investors were dealt a major blow on Monday.
That’s because in an apparent security breach, someone was able to withdraw $2.7 million from a pool of $11 million earmarked for compensating investors as part of a so-called rage-quit settlement agreed over the summer.
“[It’s] very sad what this has become,” Lilbagscientist, a pseudonymous investor and vocal critic of the team, told DL News.
Despite the mysterious fund movements, there hasn’t been any official communication from the committee in charge of handling the treasury liquidation process.
The dedicated email address used to communicate with the liquidators is no longer in service.
As such, community members have been left questioning whether the withdrawal was the result of an external hack, the actions of a rogue insider, or if there’s another explanation.
Hector Network investors are facing a 22% haircut on their expected settlement if the funds are not recovered.
Sparring Legal, a law firm and one of the liquidators, declined to comment but told DL News that an official statement about the matter is imminent.
Monday’s incident is the latest salvo in DeFi’s longest-running rage-quit sagas.
Rage quits happen when participants of failed projects agree to liquidate the treasury and distribute the proceeds on a pro-rata basis to investors and other stakeholders.
Hector Network’s rage quit was the consequence of 18 months of dissatisfaction among investors after seeing the once $100 million project fall to only hold $16 million.
During this period, the project’s token also fell a whopping 99%.
Lilbagscientist is part of a group of investors who have tried to hold Hector Network’s team accountable to the community over the last year.
Outside hack or inside job
On-chain data shows the incident began with $11 million in USDC transferred from Hector Network’s treasury to a smart contract address.
The smart contract address was supposed to handle the disbursement of funds to already accredited recipients.
However, a wallet address not captured in the codified list of accredited investors, was marked as eligible in the smart contract.
This action allowed the operator of the address to become one of the beneficiaries, and to remove funds from the smart contract to the tune of $2.7 million in USDC.
The withdrawn funds were then swapped from USDC to Ether and funnelled to six different wallets.
Meanwhile, the remaining funds were sent back from the smart contract to Hector’s treasury.
Fraud, incompetence, or both
Monday’s unexplained fund movement comes as project has been marred by several puzzling incidents.
These incidents have amounted to about $40 million lost from Hector Network’s coffers to security breaches and exploits, including $8 million from last year’s Multichain bridge fiasco.
Given these previous security lapses, several concerned investors campaigned for more robust protocols to guarantee the safety of redemption process.
These calls come after Concave Finance, another DeFi project that went through a rage quit process last year, botched its settlement due to flaws in its smart contracts.
“We warned them so many times; do not load the redemption contract with all the funds,” Lilbagscientist said. “Just like the bridge hack, they tested in production, again.”
Apart from testing in production — the practice of deploying untested smart contracts to a live environment rather than a controlled testnet — there is other evidence of unsafe security practices by Hector Network’s team.
Smart contract auditing firm CertiK also confirmed Hector Network’s team has decided against acting on security warnings.
“We highlighted multiple centralisation risks with severity classifications of ‘Major,’ including with regard to functions related to treasury management,” Jesse Leclere, security expert at CertiK said in a note shared with DL News.
Leclere’s note also said Hector Network’s team acknowledged these issues but decided not to make changes. Hector’s team was not available for comment.
Meanwhile, it’s clear investors are angry, with threats of varying degrees appearing on the project’s community Discord server as well as on-chain.
Osato Avan-Nomayo is a Nigeria-based DeFi correspondent. He covers DeFi and tech. To share tips, contact him at osato@dlnews.com.