Approximately 48 hours after launch, users of Ethereum-based options protocol, Hegic, have lost their funds forever owing to loopholes in the platform’s line of codes.
According to the platform, approximately “152.2 ETH (~$28,537) are forever locked on the pools contracts in the unexercised put/call options”.
Hegic says the 16 of 19 contracts are DAI locked, while 3 of 19 are ETH locked. Hegic says it discovered that one of its function’s optionIDs was wrongly spelled. This means that those who have provided liquidity to the protocol after launch will not be able to get their fund each time the function is called. This has ended in users permanently losing their funds.
Hegic said: “ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can’t be unlocked for new options. Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW. Everyone will be 100% REFUNDED with the amount of premium that you paid for options.”
The action has resulted in Hegic to urge its users to stop opening new contracts due to the error. It, however, promised to work on improving the code in the next few days.
Observers have questioned the authenticity of the code auditing. As said, the auditing was done by Trail of Bits, a highly regarded auditing firm. According to them, the audit was done less than a week to the launch of the Hegic.
Trail of Bits, in a report, said it conducted the audit of Hegic’s smart contracts with one engineer between April 8 and April 10, and discovered that 11 vital issues needed to be fixed. However, it was rechecked on the 15th.
‼️ ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can’t be unlocked for new options. ‼️ Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW. Everyone will be 100% REFUNDED with the amount of premium that you paid for options.
— Hegic (@HegicOptions) April 25, 2020
Hegic, latter in a statement, absorbed Trail of Bits off the issue, saying it is not a security issue. It said Trail of Bits “did their job well”, but the issue happened as a result of a function name that was incorrectly written. The function, according to Hegic, unlocks liquidity in expired contracts.
“If it doesn’t work, funds are just forever locked. It can’t be used by a malicious actor.”
“Liquidity that was locked on pools contracts will be forever locked without an ability to unlock it and withdraw the funds from the pool.”
Meanwhile, Hegic is going to be making a 100% refund from their personal purse to those who lost their fund to the tragic incident, dishearteningly, the real funds are lost to the poorly-coded algorithm. DeFi is being exploited these days. Not long, NewsLogical reported a case of DeFi exploitation which resulted in the loss of $25 Million.
◽️ UPDATE: 152.2 ETH (~$28,537) are forever locked on the pools contracts in the unexercised put/call options. 16 of 19 contracts are puts (DAI locked). 3 of 19 are calls (ETH locked). All LPs will receive a 100% refund. Email at email@example.com WIP: fixing the bug/automated tests.
— Hegic (@HegicOptions) April 26, 2020