Saddle Finance is no stranger to hacks. They’ve already been hit before, under somewhat suspicious circumstances. This time around, though, it looks like a plain old fatfinger by the developers. Saddle Finance was hacked today, 4/30/22, for the loss of 3,933 ETH, worth over $11 million.
The swap between sUSD and saddleUSD-V2 did not use the latest, correct, calculation library – instead using an older faulty version. This old calculation allowed the attacker to wind up an artificially large amount of saddleUSD-V2 by swapping back and forth, then used his Monopoly money to withdraw real assets from the protocol.
And just like that, Saddle suffers another hit. Previously, they lost a paltry (in comparison) $275k USD. How many more hits can the protocol take and still keep going? Will the users keep coming back for more?
There is a bright side to the story, however. White hat hackers at a security firm were able to use this exploit to retrieve funds from another vulnerable pool that had not been exploited yet.
That’s a small silver lining for the victims of the Saddle Finance hack. Saddle has not issued any official statements or post mortems yet, as this situation is still developing.