Insider Accused Of Perpetrating Holograph Exploit, Tanking HLG By 50%

Holograph, an omni-chain tokenization platform, is the latest web3 protocol to suffer a disastrous exploit.

On June 13, a hacker took advantage of a vulnerability in the protocol’s code to mint an additional 1 billion of its native HLG tokens — inflating the token’s supply by 66%.

The price of HLG dropped to $0.0064 from $0.014 after the hack, with the token’s market cap also crashing to $10 million from $22 million, according to CoinGecko.

Holograph announced it had patched the vulnerability in an X post on June 14, adding that it is engaging law enforcement regarding the matter.

“The team has patched the initial exploit and is working with exchange partners to lock the malicious accounts,” Holograph tweeted. “The team has launched an investigation and is in the process of contacting law enforcement.”

Matt Casto, a crypto researcher at venture capital firm CMT Digital, believes the hacker might be a "rogue developer".

“Looks like a rogue dev who funded the address 26 days ago,” the researcher said. “That address was the one who received the minted supply.”

On-chain analysis revealed that the ENS wallet acc01ade.eth was involved in the hack.

The breach took place when the hacker exploited a smart contract weakness, minting the 1 billion HLG tokens through nine transactions. The hacker started converting the minted HLG tokens into Tether (USDT) about four hours after the initial exploit. At current values, the stolen tokens are worth around $6.4 million.

Holograph is a blockchain tokenization platform that allows a single contract address to be used across EVM-supported blockchains. The project secured $3 million in its latest funding round in April. This strategic round was led by Mechanism Capital and Selini Capital, bringing Holograph’s total funding to $11 million.

Inside jobs

The Holograph exploit is the latest sign that web3 protocols face threats both from external actors and from within. PumpFun was attacked on May 15 by an exploiter who made off with 12,300 SOL, valued at $1.9 million at the time.

PumpFun later revealed that a former employee was responsible for the exploit. In a post-mortem, PumpFun found that the former employee "illegitimately took access of the withdraw authority" and used flash loans via a Solana-based lending protocol to borrow SOL. Flash loans are uncollateralized loans that must be repaid within the same blockchain block, allowing the exploiter to quickly acquire a large amount of SOL without requiring upfront capital.

Meanwhile, UwU Lend, an Ethereum-based lending and liquidity protocol, experienced two exploits in the past week. On June 13, UwU Lend was hacked, resulting in a loss of $3.72 million. This came only a few days after the protocol suffered an exploit on June 10, where $19.3 million was stolen.