Urgent Alert: Voltage Finance Exploit Hacker Moves Stolen ETH to Tornado Cash

Crypto security alerts are flashing again as a hacker connected to the 2022 Voltage Finance exploit has stirred from dormancy. After lying low for months, funds stolen during the initial breach are now on the move, specifically heading towards the mixing service Tornado Cash. This development is a stark reminder of the long tail of DeFi hacks and the challenges in recovering stolen assets.

What Happened in the 2022 Voltage Finance Exploit?

Back in March 2022, the decentralized finance (DeFi) protocol Voltage Finance suffered a significant exploit. The attacker leveraged a vulnerability related to the ERC677 token standard, specifically a built-in callback function, to execute a reentrancy attack. This allowed them to drain approximately $4.67 million worth of various cryptocurrencies from the platform’s lending pools.

The assets stolen included a mix of stablecoins and other tokens, such as USDC, Binance USD (BUSD), wrapped Bitcoin (WBTC), and Ethereum (ETH) tokens. Following the incident, Voltage Finance flagged the attacker’s address on explorers like Etherscan and attempted to contact the hacker to negotiate a bounty for the return of funds, without success.

Tracing the Stolen ETH to Tornado Cash

Blockchain security firm CertiK recently reported activity linked to the 2022 exploit. On May 6, approximately 100 ETH, valued at around $182,783 at the time of the transaction, was moved. This ETH originated from an address used in the initial exploit, although it wasn’t the primary address initially funded directly by the protocol drain. The movement specifically targeted Tornado Cash, a privacy-focused transaction mixer.

Data from Etherscan confirms that the address used for this specific ETH transfer had been inactive for a considerable period, 166 days to be exact, with its last transaction occurring in November. The decision to move funds now, and specifically to a mixer, suggests the hacker may be attempting to further obscure the trail of the stolen ETH.

Why Use Tornado Cash?

Tornado Cash is a decentralized protocol designed to break the link between source and destination addresses on the Ethereum blockchain. By pooling and mixing cryptocurrency from different users, it makes it harder to trace the origin of funds once they are withdrawn from the mixer. For hackers and those wishing to obfuscate transactions, it’s a common tool, although its use by illicit actors has led to sanctions and increased scrutiny.

Voltage Finance’s Continued Struggles with DeFi Hacks

Unfortunately, the 2022 exploit wasn’t the end of Voltage Finance’s security issues. In March 2024, the protocol was hit by another DeFi hack targeting its Simple Staking pools. This subsequent breach resulted in the theft of an additional $322,000. In response, Voltage Finance again offered a bounty to the attacker and initiated police reports, even identifying a developer who had worked on the affected pools as a potential suspect, revoking their access as a precaution.

Broader Context: Crypto Security Landscape

The movement of funds from the 2022 Voltage Finance exploit and the subsequent 2024 hack highlight ongoing challenges in the crypto security landscape. While April saw a significant spike in overall crypto losses due to a massive social engineering attack targeting a single individual ($330.7 million in BTC), even excluding that outlier, losses from hacks and exploits remained substantial at $34 million, a 21% increase from March.

However, the picture isn’t entirely bleak. April also saw instances of funds being returned, such as the KiloEx exploiter returning $7.5 million and the ZKsync Association recovering $5 million after an incident. These events underscore the dynamic nature of crypto security, involving sophisticated attacks, attempts at obfuscation, and ongoing efforts by protocols and security firms to trace funds and improve defenses.

Summary

The recent movement of 100 ETH from the 2022 Voltage Finance exploit to Tornado Cash serves as a fresh reminder that the consequences of DeFi hacks can linger for years. While the amount moved is smaller than the initial theft, it signals renewed activity from the hacker and reinforces the importance of robust security measures and vigilant monitoring within the decentralized finance space. The continued use of mixers like Tornado Cash by illicit actors remains a significant challenge for traceability and recovery efforts.