Summary

Holograph experienced a security breach on June 13, 2024, resulting in the protocol’s native token, HLG, falling by 79.4% in value (~$110M loss in FDV).
The exploit was due to unauthorized admin access of a proxy wallet by a disgruntled former contractor who minted approximately $14 million worth of new HLG and sold it on the open market, crashing the price.
Working alongside security firm Halborn, Holograph successfully identified the root cause of the exploit and implemented a comprehensive resolution including operational risk controls to prevent the incident from ever happening again.
Bridging has been re-enabled and the HLG max supply will return to 10 billion through a final series of burns.

Incident Cause

In January, Holograph upgraded to Holograph Protocol V2. The HolographOperator V2 contract had a reference to the Holograph Protocol LayerZero V1 proxy contract 0x777C1. The admin of the proxy contract was the 0xC0ffee wallet, which was managed by a disgruntled former contractor who had previously worked on Holograph Protocol V1. In April and May, he used his admin access to upgrade the contract and add malicious jobs to Holograph Protocol V2. In May, the HolographOperator contract was upgraded to remove the 0x777C1 contract from Holograph Protocol V2. The malicious jobs were kept hidden until June 13, when they were executed by the 0xC0ffee and acc01ade.eth wallets.

Incident Timeline

On June 13 at 8:32 AM UTC, a malicious job was executed on Mantle by the 0xC0ffee wallet. The payload masqueraded as a valid job and minted 10 billion HLG in a bridge transaction. The wallet then constructed several bridge jobs to other networks in an effort to hide the HLG. At 9:20 AM UTC, the 0xC0ffee wallet created a bridge transaction from Mantle to Ethereum for 1 billion HLG. On Ethereum, the malicious actor manually called the executeJob function on the HolographOperator contract. The job failed to execute because of invalid gas parameters. Eight minutes later, the malicious actor called the recoverJob function, which minted 1 billion HLG on Ethereum. From there, HLG was transferred to various centralized exchanges and aggressively sold.

April 2024 - Several malicious jobs were created to mint hETH, hMATIC, hAVAX, and hMNT.
May 2024 - Several malicious jobs were created to mint HLG.
May 2024 - The 0x777C1 contract was removed from the HolographOperator V2 contract.
June 2024 - acc01ade.eth executed one of the HLG bridge jobs on Ethereum and transferred the HLG to exchanges.
June 2024 - Bridging was disabled and the recoverJob function was removed.
June 2024 - All malicious jobs were deleted.

Malicious Jobs

Time	TX	Network	Token	Description	Job Hash
Apr-12-2024 7:02:29 PM +UTC	TX	Zora	hETH	Job injected via `0x777CA` contract to mint 1 million hETH bridged from Zora	0xcb2c52dd61460a671220848c522b5b4cd193a6b4ada7749fee955408d1c459cc
Apr-12-2024 07:41:27 PM +UTC	TX	Base	hETH	Job injected via `0x777CA` contract to mint 1 million hETH bridged from Zora	0x74ddcb1a3f7582a2a3849a8a00af50cfbc524d4095b86f732db414c7b0af8412
Apr-12-2024 08:37:17 PM +UTC	TX	Base	hETH	Job injected via `0x777CA` contract to mint 1 million hETH bridged from Zora	0x4871a944afdff44be3842d06e04bcebd4ff5211b2b4118229dc1839dfe0db5fc
Apr-12-2024 08:40:03 PM +UTC	TX	Base	hETH	Job injected via `0x777CA` contract to mint 1 million hETH bridged from Zora	0xcb2c52dd61460a671220848c522b5b4cd193a6b4ada7749fee955408d1c459cc
Apr-12-2024 08:53:31 PM +UTC	TX	OP Mainnet	hETH	Job injected via `0x777CA` contract to mint 1M hETH bridged from Zora	0xcb2c52dd61460a671220848c522b5b4cd193a6b4ada7749fee955408d1c459cc
Apr-12-2024 08:55:43 PM +UTC	TX	ArbitrumOne	hETH	Job injected via `0x777CA` contract to mint 1 million hETH bridged from Zora	0xcb2c52dd61460a671220848c522b5b4cd193a6b4ada7749fee955408d1c459cc
Apr-12-2024 09:58:27 PM +UTC	TX	Binance Smart Chain	hBNB	Job injected via `0x777CA` contract to mint 1 million hBNB bridged from Zora	0xe92d5f5bb8a202d1fab74e80a22ca4c95c48d9773164be905844381b86550695
Apr-12-2024 10:07:54 PM +UTC	TX	Polygon	hMATIC	Job injected via `0x777C1` contract. Mint 1 million hMATIC bridged from Zora.	0x87ff0c9a01ba7a66098474ac08ef298ef6b37c53d45904f5d7ae81b289c6cc05
Apr-21-2024 2:26:44 PM +UTC	TX	Mantle	hMNT	Job injected via `0x777CA` contract to mint 1 million hMNT bridged from Zora	0x3b937d6d819b14f93513c34652d0b0b199afea832944cd9e839e87c32da01e1e
Apr-21-2024 2:00:37 PM +UTC	TX	Avalanche	hAVAX	Job injected via `0x777CA` contract to mint 1 million hAVAX bridged from Zora	0x796fddb3a164f45d5d8eb75b067ab916960bffffa6d589a2deb9fb479b7db308
Apr-21-2024 2:43:12 PM +UTC	TX	Mantle	HLG	Job injected via `0x777CA` contract to mint 1 billion HLG bridged from Zora	0x3ca40259c41005b4a57c0eff231887de5cf693f99a911fe923b36223fafc1056
May-1-2024 4:30:20 PM +UTC	TX	Mantle	HLG	Job injected via `0x777CA` contract to mint 10B HLG bridged from Zora	0x19254c5fc63b6cf66f387a06baf6db11352f1a4047d9363bcdf4493e70d2980d
May-1-2024 4:45:44 PM +UTC
TX	Mantle	HLG	Job injected via `0x777CA` contract to mint 10 billion HLG bridged from Zora	0x83f0997e79384577801d184dbf633c1cdc9dc32ff99313bb7aad42ba0884ab41
May-10-2024 02:27:08 PM +UTC	TX	BNB Chain	hBNB	Job injected via `0x777CA` contract to mint 1 million hBNB bridged from Zora	0xe92d5f5bb8a202d1fab74e80a22ca4c95c48d9773164be905844381b86550695
May-10-2024 02:29:12 PM +UTC	TX	Polygon	hMATIC	Job injected via `0x777C1` contract to mint 1 million hMATIC bridged from Zora	0x87ff0c9a01ba7a66098474ac08ef298ef6b37c53d45904f5d7ae81b289c6cc05
Jun-13-2024 08:32:28 AM +UTC	TX	Mantle	HLG	`0xC0ffee` executed job to mint 10 billion HLG	0x83f0997e79384577801d184dbf633c1cdc9dc32ff99313bb7aad42ba0884ab41
Jun-13-2024 08:37:52 AM +UTC	TX	Mantle	HLG	Bridged 1 billion HLG to BNB Chain	0x60e50897750fb3c613152dc6375d7f1e36eb3bd75e25e90f1bda734e2d4cfde9
Jun-13-2024 08:48:08 AM +UTC	TX	Mantle	HLG	Bridged 1 billion HLG to Avalanche	0x913bb8c8d8fdf776987065a115d4328aa251810c2c164490358610fde00c28b0
Jun-13-2024 08:49:18 AM +UTC	TX	Mantle	HLG	Bridged 1 billion HLG to Polygon	0x82f78b71638ae99bb77f1239918f2ae1b04cbc614f39111dd7ed9541f9371875
Jun-13-2024 08:50:32 AM +UTC	TX	Mantle	HLG	Bridged 1 billion HLG to ArbitrumOne	0x2cb1a2d0ef14e0a146dab9fe70b7bbfbcabc61e1e3582dcedab41a5120065a00
Jun-13-2024 08:52:02 AM +UTC	TX	Mantle	HLG	Bridged 1 billion HLG to OP Mainnet	0x84b88bf952e325a811b74ebb84bfcf6f2d2a54cd5b4ef5e4111f23a92c05b5ec
Jun-13-2024 08:56:36 AM +UTC
TX	Mantle	HLG	Bridged 4 billion HLG to Ethereum	0x33c5784e60062f95865605fd92baa448b1fbaf08e5bc5ab2ce8b0d6910e90623
Jun-13-2024 09:20:22 AM +UTC	TX	Mantle	HLG	Bridged 1 billion HLG to Ethereum	0x3f9c5cc110c558a92c8fcd807deccaa8d15b4a83baf326f760de093728916571
Jun-13-2024 09:36:59 AM +UTC	TX	Ethereum	HLG	ExecuteJob failed	0x3f9c5cc110c558a92c8fcd807deccaa8d15b4a83baf326f760de093728916571
Jun-13-2024 09:45:23 AM +UTC	TX	Ethereum	HLG	RecoverJob succeeded and minted 1 billion HLG to `0xff8c8747ab44f5bdaeb0520525bbada166e8a8b0`	0x3f9c5cc110c558a92c8fcd807deccaa8d15b4a83baf326f760de093728916571

Exchange Deposits

The malicious actor deposited 1 billion HLG into 5 centralized exchanges (Bybit, Gate, KuCoin, Bitget, and Backpack) and aggressively sold HLG until the malicious actor’s accounts were frozen. The malicious actor was able to successfully withdraw approximately $1.3 million in USDT and convert it into ETH. He then distributed the ETH across various wallets and mixers, which are currently being monitored. Approximately 200 million HLG was successfully frozen on centralized exchanges and is currently in the process of recovery through law enforcement procedures.