Internal Probe Reveals Ex-Contractor Behind $14.4 Million Holograph Hack

Holograph revealed that the internal investigation found a former disgruntled contractor responsible for hacking the platform.

Incident Cause

In January, Holograph upgraded to Holograph Protocol V2. The HolographOperator V2 contract had a reference to the Holograph Protocol LayerZero V1 proxy contract `0x777C1`. The admin of the proxy contract was the `0xC0ffee` wallet, which was managed by a disgruntled former contractor who had previously worked on Holograph Protocol V1. In April and May, he used his admin access to upgrade the contract and add malicious jobs to Holograph Protocol V2. In May, the HolographOperator contract was upgraded to remove the `0x777C1` contract from Holograph Protocol V2. The malicious jobs were kept hidden until June 13, when they were executed by the `0xC0ffee` and `acc01ade.eth` wallets.

Incident Timeline

On June 13 at 8:32 AM UTC, a malicious job was executed on Mantle by the `0xC0ffee` wallet. The payload masqueraded as a valid job and minted 10 billion HLG in a bridge transaction. The wallet then constructed several bridge jobs to other networks in an effort to hide the HLG. At 9:20 AM UTC, the `0xC0ffee` wallet created a bridge transaction from Mantle to Ethereum for 1 billion HLG. On Ethereum, the malicious actor manually called the `executeJob` function on the HolographOperator contract. The job failed to execute because of invalid gas parameters. Eight minutes later, the malicious actor called the `recoverJob` function, which minted 1 billion HLG on Ethereum. From there, HLG was transferred to various centralized exchanges and aggressively sold.