<aside> 💡

Date of Incident: March 25, 2025

</aside>

Overview

On March 25, 2025, an attacker exploited a vulnerability in the LendOS protocol on Hemi network, manipulating the Sushi V2 ETH/USDC.e liquidity pool to artificially inflate the price of LP tokens. The attack leveraged a flashloan and took advantage of the pool’s low liquidity, resulting in a bad debt of $11,800 for the protocol. Funds were subsequently transferred to the Ethereum Mainnet via Stargate.

Attacker Details

• Attacker Address: 0x90d2Dc9c169136c9B73c881e35e2af5709C46af8
• Targeted Pool: Sushi V2 ETH/USDC.e Pool
  • Pool URL: Sushi V2 Pool
• Flashloan Source: Sushi V3 ETH/USDC.e Pool
  • Explorer Link: Sushi V3 Pool

Attack Execution

The attack was executed via the following transaction:

• Attack Transaction:
  • Explorer Link: Hemi Explorer

The attacker used a flashloan from the Sushi V3 ETH/USDC.e pool to temporarily increase the ETH reserves in the Sushi V2 ETH/USDC.e pool. This manipulation inflated the calculated price of the LP tokens, which represent a share of the pool’s reserves. After executing the attack, the attacker transferred the extracted funds to the Ethereum Mainnet using the Stargate bridge:

• Fund Transfer Transaction:
  • Explorer Link: Etherscan

Vulnerability Details

The root cause of the exploit lies in the LP token price calculation mechanism, which relies on the pool’s reserve amounts and prices from the RedStone oracle. The relevant code is as follows: