1/n Another asset theft incident happened around Spinach!! Those who have used Hashflow, please be careful!! Your assets may be stolen at any time!! Another tragedy caused by random authorization! Spinach and Beosin researcher @EatonAshton2 solved this asset theft case together

Never authorize unlimited quotas at will! Especially for contracts that are not open source! If you have used Hashflow, please check your authorization immediately!

2/n After the last incident of a friend’s assets being stolen revealed the risks of Uniswap, this theft incident has made Gambling discover a risk that may be more widespread. If you have used Hashflow and authorized the quota before May last year, you are at risk of having your assets stolen!

Today a friend consulted me about an asset theft incident

3/n After my friend transferred a sum of U from the exchange to the victim’s wallet, U was immediately transferred away by a MEV robot using a non-open source function Yoink. The victim’s private key was not leaked. I was quite confused at the time.

4/n Later, in a discussion with beosin researcher @EatonAshton2, the case was solved. The victim's wallet authorized an unlimited USDT quota for the contract with the last number Af0c on April 23, 2022.

5/n The contract with the last number Af0c is a contract deployed by Hashflow. Hashflow is the cross-chain anti-MEV non-slippage DEX that was popular for a while. At that time, all interactions with Hashflow should be with this contract. The problem is this contract. The code of this contract is not even open source? ! So at that time, there may be a large number of people who authorized this contract with unlimited quota!

6/n This contract was abandoned by Hashflow in May last year (probably because of a vulnerability), but on June 14, 2023, HashFlow was hacked. The article analyzed that it was probably because the user authorized a large amount of money when using the contract before May last year.

https://www.defidaonews.com/article/6822386

7/n After the contract was abandoned, these authorizations were not reclaimed, and there may be certain problems with the restriction logic after the contract was abandoned, which may allow attackers to call the functions of the abandoned contract to transfer user assets.

By comparison, we can find that the contract attacked in the hacker incident on June 14 was the Hashflow contract with the last number Af0c.

8/n In other words, because the abandoned contract with the last digit Af0c of Hashflow has been attacked, if you have used Hashflow and authorized it before May last year, you are now exposed to the risk of asset theft! You can enter the authorization query interface of Etherscan to query your authorization and cancel all risky contract authorizations!

https://etherscan.io/tokenapprovalchecker

9/n Countless people are robbed every day. Don’t easily authorize too much quota to the contract! You can not make money in a bear market, but you can’t lose money!

Judging from this incident, since the abandoned code is not open source (someone dared to use it), we guess that the hacker is either a super expert who can decompile, or an insider who knows the code. In any case, don't trust contracts that are not open source!