Hedgey's `ClaimCampaigns.createLockedCampaign()` accepted a `Campaign` struct, a `ClaimLockup`, and an array of `donor` allocations, then *did not pull the campaign funds in the same transaction* — it trusted that the caller's balance backed the eventual claims. The attacker used a flashloan to obtain the ERC-20 needed to satisfy any internal balance check at creation, called `createLockedCampaign`, immediately called `claim()` to drain the just-funded campaign back to themselves (or used the campaign's own approval pattern to pull funds), then repaid the flashloan. The transaction never required atomic funds-locked-equals-allocations, so the attacker manufactured a fully-funded campaign on borrowed liquidity and walked away with the protocol's tokens by claiming as a beneficiary. The bug was duplicated across multiple chains (Ethereum, Arbitrum, Optimism, Polygon, Base) because the same `ClaimCampaigns` contract was deployed on each.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
Classification: Ecosystem. Technique: Claim Contract Flashloan Exploit. Target type: DeFi Protocol. Affected chains: Arbitrum, Ethereum. Implementation language: Solidity.
- chain
- multichain
- protocol
- Hedgey
- bug_class
- flashloan
- date_occurred
- 2024-04-19
- loss_usd
- $44,700,000
- classification
- Ecosystem
- technique
- Claim Contract Flashloan Exploit
- target_type
- DeFi Protocol
- language
- Solidity
- source_id
- dl:adhoc:hedgey:1713484800