Yieldly HDL Distribution Pool Exploit

    At the beginning of March, Yieldly announced they had found wallets abusing the HDL Distribution pool. Let’s look and see if we can identify the wallets that were taking advantage of the HDL distribution pool.

    Yieldly tweeted about the irregular activity around the HDL distribution pool on March 5. By counting the daily number of transactions interacting with the HDL pool (app_id = 596947890), it is evident that the exploit started at least on March 4 and peaked the next day.

    Loading...

    Given that this pool was advertised as self-compounding by Yieldly, there was no need to withdraw rewards and restake them in order to maximise gains. However, many bot accounts interacted multiple times with the distribution pool, reaching thousands of transactions in a matter of hours. The table below lists the top 50 accounts with the most frequent interactions, 24 of which managed to surpass 1,000 transactions.

    Loading...
    Loading...

    We can identify the actions wallets were taking on this pool by using the algorand.application_call_transaction table and decoding the application call action.

    Examining the odd behaviour of a random selection of the top 10 most suspicious wallets would be the next task. It is assumed that since it's a bot activity, the majority will have the same strategy.

    Sorting the exploit by the block_timestamp shows that every 9 seconds there was a transaction with the HDL pool, staking and withdrawing minimal amounts continuously. Whenever the exploit was successful, the hacker was withdrawing all the stolen HDL tokens.

    Further Analysis

    Many of the most suspicious wallets were funded by the same source, after tracing their initial transactions on the algoexplorer. The listed addresses were created 166 days ago and have plenty of information about the hacker's other activities.

    • IJJVPTIZ3U5KCT7NCO7HCAEKQXI4PYNQ65MKO7QL2ES7JIDLIFHO4SUEWE &
    • 557MQ6RQK3W6S5FT5K3IAJBSNFZFFRAFP4UYEYJ6E2H7ZLOCQZQBIT2A6E
    Loading...

    The next step was tracking the hourly activity of the hacker bot to look for a specific pattern. This time series illustrates the simplicity of the pool exploit and points out once gain the risk of DeFI.

    Loading...

    Last but not least, the same method was applied to a larger and broader sample of the suspicious wallets to verify this hypothesis. Indeed, the pattern was very similar.

    Loading...