Hacker Involved in the $4.67M Exploit of Voltage Finance Moved Some of the Stolen Ether to Tornado Cash

A hacker involved in the $4.67 million exploit of decentralized finance lending protocol Voltage Finance in 2022 has moved some of the stolen Ether to Tornado Cash after a short hibernation.

Blockchain security firm CertiK said in a May 6 post to X that the 100 Ether ETHUSD, worth $182,783 at current prices, was moved from a different address initially used in the exploit but can be traced back to the hacker.

In March 2022, the exploiter took advantage of a “built-in callback function” in the ERC677 token standard and allowed them to drain the platform’s lending pool through a reentrancy attack, according to CertiK.

After the exploit, Voltage Finance reported that the hacker stole various stablecoins and other crypto, including USDC USDCUSD, Binance USD (BUSD), wrapped Bitcoin WBTC, and Ethereum tokens.

The address used by the hacker to get the funds to Tornado Cash had been dormant since November, with the last transaction occurring 166 days ago, Etherscan data shows.

In a postmortem of the 2022 exploit, Voltage Finance said the attacker’s address was flagged on Etherscan, and exchanges had been asked to block any transactions. Attempts were also made to contact the attacker and negotiate a bounty for the return of the funds.

Voltage Finance staking pools hit in March exploit

Voltage Finance was hit again by another exploit on March 18, when its Simple Staking pools were compromised, the protocol said in a statement posted to X. In total, $322,000 was stolen.

In its March 20 postmortem, Voltage Finance said it offered the attacker a bounty of $50,000 to return the funds and had possibly identified a developer who worked on the Simple Staking pools, who may have been involved.

“While we haven’t confirmed if he is the hacker, as a precaution, we revoked his access immediately and filed police reports to cooperate with law enforcement and centralized exchanges.”

Overall crypto losses spiked by 1,163% in April, with the lion’s share coming from a single heist of an elderly US individual’s wallet, after a hacker used advanced social engineering tactics to steal 3,520 Bitcoin (BTC), worth $330.7 million.

Excluding that attack, April’s crypto losses were $34 million, a 21% jump from March.

However, the month also saw over $18 million returned when the hacker behind the $7.5 million exploit of decentralized exchange KiloEx returned all the stolen funds only four days after the attack.

The ZKsync Association also recovered $5 million worth of stolen tokens from an April 15 security incident involving its airdrop distribution contract.