{"id":15759,"date":"2023-03-11T00:00:00","date_gmt":"2023-03-11T00:00:00","guid":{"rendered":"https:\/\/hederav2stg.wpenginepowered.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/"},"modified":"2025-12-08T18:43:27","modified_gmt":"2025-12-08T18:43:27","slug":"analysis-remediation-of-the-precompile-attack-on-the-hedera-network","status":"publish","type":"post","link":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/","title":{"rendered":"Analysis &#038; Remediation of the Precompile Attack on the Hedera Network"},"content":{"rendered":"<div class=\"body-text BodyCopy mb-40 style-1\">\n<p dir=\"ltr\"><strong>Update March 15, 2023:<\/strong><\/p>\n<p dir=\"ltr\">There have been some questions from the Hedera community regarding how proxy access to the network was disabled. In April 2020, Hedera\u2019s Technical Steering &amp; Product Committee approved, via updates to Hedera\u2019s Node Policy, the placement of IP proxies in front of all Hedera network nodes as a precautionary measure to protect the network against attacks. As shared in a May 2020 Hedera <a href=\"https:\/\/hedera.com\/blog\/network-upgrade-communications-a-new-previewnet-ip-proxies-and-tls-support\" target=\"_blank\">blog post<\/a>, Hedera network operations staff would initially control those proxies, with full ownership and control of the proxies to be transitioned to Council member node operators over time. Currently, 14 Council members have deployed their own proxies to their nodes. Hedera network operations staff (composed of Hedera and Swirlds Labs employees) still have delegated authority and operational responsibility to retain SSH access to all the proxies on the network.<\/p>\n<p dir=\"ltr\">When the attacker began stealing tokens from the DEXs on March 9th, the Hedera network operations team (Hedera\u2019s CIO\/CISO Alex Popowycz, Swirlds Labs\u2019s Dr. Leemon Baird (who also co-chairs the Council\u2019s Technical Steering &amp; Product Committee), and Swirlds Labs\u2019 DevOps staff), together made the decision to disable the proxies, which prevented the exploit from being used to illicitly gain privileges to tokens managed by smart contracts (which could allow them to be stolen) and prevented the possibility of it being deployed to attack other potentially vulnerable implementations across the network. This decisive action limited the loss to ~$600K (USD equivalent).<\/p>\n<p dir=\"ltr\">In addition, there have been questions raised regarding whether or not the unauthorized privileges that the hacker had gained for the attack had been revoked. The Hedera community, including developers and DEXs affected by the attack, worked together with the Hedera team to construct and review a whitehat smart contract that used the same exploit as the attacker. The purpose was to remove the privileges that the attacker had illicitly obtained to the DEX\u2019s accounts. The DEXs then oversaw the execution of the smart contract to ensure that the attacker no longer had any unauthorized privileges that could have been used to continue the attack. The ability for a smart contract to be deployed to edit these privileges, even by the Hedera whitehat team, was permanently removed once the mainnet code was updated by the Hedera Council.<\/p>\n<p dir=\"ltr\">***<\/p>\n<p dir=\"ltr\">On Thursday, March 9, an attacker exploited the Smart Contract Service code of the Hedera mainnet to transfer Hedera Token Service (HTS) tokens held by certain DEXs\u2019 accounts to the attacker\u2019s own account. The following is a summary of the attack: how it happened, steps taken to pause the attack and then permanently prevent it from happening again.<\/p>\n<p dir=\"ltr\"><strong>TL;DR<\/strong><\/p>\n<ul>\n<li dir=\"ltr\">\n<p dir=\"ltr\">On March 9, an attacker exploited the Smart Contract Service code of the Hedera mainnet to transfer HTS tokens from targeted accounts to the attacker\u2019s own account, targeting accounts at multiple DEXs, including Pangolin, SaucerSwap, and HeliSwap.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">No retail user Hedera accounts were ever at risk.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">No Hedera wallets were ever at risk.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">DEXs and bridges worked together to stop tokens flowing over the bridge within an hour of initial notification of the attack.<\/p>\n<\/li>\n<li dir=\"ltr\">To the best of our knowledge, the following tokens (valued at just under $600K USD at the time of attack) were stolen across multiple accounts\/DEXs before the attacker was stopped.\n<ul>\n<li dir=\"ltr\">\n<p dir=\"ltr\">DAI Stablecoin: 1,001 DAI [hts]<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">Tether USD: 66,997 USDT [hts]<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">USD Coin: 287,998 USDC [hts]<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">Wrapped HBAR: 3,630,000 WHBAR<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">After initial analysis of the attack and notifying relevant DEXs, Hedera DevOps shut off proxy access to the Hedera mainnet at 20:18 UTC, eleven hours after being notified of the attack by the DEXs. This prevented users from accessing the mainnet (and the attacker from draining additional tokens), but the mainnet remained up.<\/p>\n<\/li>\n<li dir=\"ltr\">The core maintainers of the Hedera open-source software developed and tested a fix within 13 hours of discovering the vulnerability.\n<ul>\n<li dir=\"ltr\">\n<p dir=\"ltr\">The fix prevents a smart contract from using a <em>delegate call<\/em> to call an HTS precompiled contract.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">Time to resolution: Subsequently, the node operators (the Hedera Governing Council members) signed transactions to update the network\u2019s codebase and the mainnet upgrade was completed at 02:04 UTC on March 11th, 41 hours from initial discovery of the attack.<\/p>\n<\/li>\n<\/ul>\n<h4 class=\"color-ultraviolet\" dir=\"ltr\">\n<p><strong>Analysis of the Attack<\/strong><\/p>\n<\/h4>\n<p>The attacker targeted accounts used as liquidity pools at multiple DEXs that use Uniswap v2-derived contract code ported over from Ethereum to use the Hedera Token Service, including Pangolin, SaucerSwap, and HeliSwap.<\/p>\n<p dir=\"ltr\">The attack was conducted in multiple stages:<\/p>\n<ol>\n<li dir=\"ltr\">\n<p dir=\"ltr\">Using one contract [<a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678215665.548053769?tid=0.0.2015705-1678215654-200464051\" target=\"_blank\">0.0.2015837<\/a>], the attacker exploited a bug in the precompiled contract code on Hedera to illicitly grant themselves authorization to withdraw tokens from specific DEX liquidity pools.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">Using a second contract <a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678216589.476775856?tid=0.0.2015717-1678216578-485426475\" target=\"_blank\">[0.0.2015850<\/a>], the attacker interacted with a target DEX to extract tokens into the attacker\u2019s account [<a href=\"https:\/\/hashscan.io\/mainnet\/account\/0.0.2015717?p2=1\" target=\"_blank\">0.0.2015717<\/a>].<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">On Tuesday, March 7, the attacker created a new account, [<a href=\"https:\/\/hashscan.io\/mainnet\/account\/0.0.2015705?p2=1\" target=\"_blank\">0.0.2015705<\/a>], which was to form the base of operations for gaining illicit authorization on liquidity pools. They funded their account from Binance [<a href=\"https:\/\/hashscan.io\/mainnet\/account\/0.0.1030878?p2=1\" target=\"_blank\">0.0.1030878<\/a>], with about 2000 HBAR (<a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678211238.579500035?tid=0.0.1030878-1678211226-270039373\" target=\"_blank\">First<\/a> and <a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678211590.882844003?tid=0.0.1030878-1678211577-904335782\" target=\"_blank\">Second<\/a> transactions).<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">The attacker then created two contracts: <a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678212291.160988124?tid=0.0.2015705-1678212282-168396543\" target=\"_blank\">0.0.2015743<\/a> and <a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678215665.548053769?tid=0.0.2015705-1678215654-200464051\" target=\"_blank\">0.0.2015837<\/a>. Essential to the attack is the fact that most smart contracts, such as any Uniswap V2 smart contract derivation (of which several DEXs on Hedera use), have a swap function that takes an arbitrary contract to invoke as part of the swap.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">The attacker calls the swap, passing its attack contract 0.0.2015837 as the contract to be called as a delegate call with enhanced privilege. The DEX calls this contract, which then performs a <strong>delegate call<\/strong> on the Hedera HTS precompile to grant approval\/allowance for the tokens owned by the DEXs liquidity pool.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">Critically, a bug in the Hedera mainnet code allowed the attacker to request approval <strong>with the credentials of the liquidity pool<\/strong> instead of with their own contracts\u2019 credentials. Consequently, the attacker was able to gain approval\/allowance on the DEX\u2019s smart contract.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">The attacker then created and funded their second account [<a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678211946.831147990?tid=0.0.1030878-1678211935-103568959\" target=\"_blank\">0.0.2015717<\/a>] from Binance with a small amount of HBAR. This account would be the base from which they would launch a second smart contract to actually remove the tokens from the liquidity pools. They created and deployed a contract [<a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678216589.476775856?tid=0.0.2015717-1678216578-485426475\" target=\"_blank\">0.0.2015850<\/a>] that they used for the attack.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">The attacker used the <a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678295186.903482428?tid=0.0.2015717-1678295172-757995189\" target=\"_blank\">smart contract against HeliSwap<\/a>. They started by extracting a very small amount and then attacked for <a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678295186.903482430?tid=0.0.2015717-1678295172-757995189\" target=\"_blank\">1000 USDC \/ DAI<\/a>. The attacker then used <a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678295664.069914036?tid=0.0.2015717-1678295649-215868455\" target=\"_blank\">HashPort to transfer <\/a>the stolen tokens off of the Hedera network.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">Next, the attacker targeted Pangolin\u2019s <a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678351713.289304004?tid=0.0.2015717-1678351699-768949791\" target=\"_blank\">USDC<\/a>\/<a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678351713.289304005?tid=0.0.2015717-1678351699-768949791\" target=\"_blank\">USDT<\/a> pool. They stole funds over the course of several contract calls (starting small and scaling up) while transferring tokens out of Hedera using HashPort.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">They then went after the Pangolin USDC\/WHBAR pool. Initially they were met with failure (<a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678354038.265016004?tid=0.0.2015717-1678354026-839531487\" target=\"_blank\">SPENDER_DOES_NOT_HAVE_ALLOWANCE<\/a>) when extracting the USDC, but were able to extract <a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678354038.265016005?tid=0.0.2015717-1678354026-839531487\" target=\"_blank\">WHBAR<\/a>. Two minutes later, they were able to extract both.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">When the attackers moved tokens obtained through these attacks <a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678351949.709515968?tid=0.0.2015717-1678351926-753743020\" target=\"_blank\">over the HashPort bridge<\/a>, the bridge operators detected the activity and took swift action to disable it. HashPort was shut down, and the attacker resorted to sending funds to exchanges or other accounts.<\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\"><strong>Resolution<\/strong><\/p>\n<p dir=\"ltr\">The Ethereum state is stored strictly in individual smart contracts, whereas Hedera tokens are stored in a system-wide state map. When making a <strong><em>delegate call<\/em><\/strong>, the EVM will execute the called contract\u2019s code on the calling contract\u2019s state, and not the contract storage storing canonical balances. However, when calling a precompiled contract, execution leaves the EVM and enters the core layer one logic, where the balance state is shared.<\/p>\n<p dir=\"ltr\">Hedera, SwirldsLabs, Limechain, Heliswap, and Pangolin collaborated to troubleshoot the situation and design a safe and accommodating approach to resolve the issue for the community. As a result of the collaboration between these decentralized stakeholders, a code change was authored for Hedera, which prevents a smart contract from using a delegate call to call a precompiled contract. <\/p>\n<p dir=\"ltr\">Under some circumstances it is possible for an EVM delegatecall() instruction invoking a pre-compile contract to result in one contract impersonating another. In 0.34.5, contracts may no longer use delegateCall() to invoke a pre-compiled contract. Contracts should instead use the <a href=\"https:\/\/docs.soliditylang.org\/en\/v0.8.19\/control-structures.html#function-calls\" target=\"_blank\">call() method<\/a>. The software upgrade blocks the HTS precompile calls only when they are called from the smart contract as a delegateCall() and not as a call(). <\/p>\n<p dir=\"ltr\">In addition, to ensure that some of the already deployed contracts don\u2019t break after the upgrade, we have also taken precautionary steps to create exception rules for these. A search of all smart contracts on the Hedera network was done to find any that would be impacted negatively by this new restriction (such as the HTS ERC-20 redirect contract) and, in two very specific router contracts, preserved the old behavior.<\/p>\n<p dir=\"ltr\"><strong>A Community Effort<\/strong><\/p>\n<p dir=\"ltr\">The Hedera community and broader ecosystem came together quickly to minimize damage to users, and collaborated on the best way to fix the issues in as timely a manner as possible. We cannot thank the community enough for your patience, support, and understanding as we worked together to mitigate and resolve the vulnerability.<\/p>\n<p dir=\"ltr\"><strong>Appendix: How the Attack Unfolded<\/strong><\/p>\n<p dir=\"ltr\">Using the account information and links to hashscan.io below anyone can investigate the attack for themselves.<\/p>\n<table>\n<tbody>\n<tr>\n<td>\n<p dir=\"ltr\"><strong>Description<\/strong><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><strong>Explorer Link<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Attacker Account<\/strong><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/account\/0.0.2015717?p2=1\" target=\"_blank\">0.0.2015717<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>HashPort Bridge Account<\/strong><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/account\/0.0.540219?p2=1\" target=\"_blank\">0.0.540219<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>HeliSwap Contract 1<br \/><\/strong>(USDC[hts] \/ DAI[hts])<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/contract\/0.0.1321537\" target=\"_blank\">0.0.1321537<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Pangolin Contract 1<\/strong><br \/>(USDC [hts] \/ USDT [hts])<\/p>\n<\/td>\n<td data-focus-visible-added=\"\">\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/contract\/0.0.1742018\" target=\"_blank\">0.0.1742018<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Pangolin Contract 2<\/strong><br \/>(USDC [hts] \/ WHBAR)<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/contract\/0.0.1739269\" target=\"_blank\">0.0.1739269<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><strong>Transactions<\/strong><\/p>\n<table>\n<tbody>\n<tr>\n<td data-focus-visible-added=\"\">\n<p dir=\"ltr\"><strong>Description<\/strong><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><strong>Explorer Link<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 0.000001 USDC[hts] and 0.00000001 DAI[hts] from HeliSwap Contract 1<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678295022-842244363\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678295022-842244363<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 1 USDC[hts] and 1 DAI[hts] from HeliSwap Contract 1<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678295148-068622167\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678295148-068622167<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 1,000 USDC[hts] and 1,000 DAI[hts] from HeliSwap Contract 1<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678295172-757995189\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678295172-757995189<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker transfers 1,000 USDC[hts] to HashPort Bridge<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678295664.069914036?tid=0.0.2015717-1678295649-215868455\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678295664.069914036?tid=0.0.2015717-1678295649-215868455<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker transfers 1,000 DAI[hts] to HashPort Bridge<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678295912.615877003?tid=0.0.2015717-1678295902-741951792\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678295912.615877003?tid=0.0.2015717-1678295902-741951792<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 8,999 USDC[hts] and 8,999 USDT[hts] from Pangolin Contract 1<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678296437-766051588\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678296437-766051588<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td class=\"focus-visible\" data-focus-visible-added=\"\">\n<p dir=\"ltr\">Attacker transfers 8,999 USDT[hts] to HashPort Bridge<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678296652.235995003?tid=0.0.2015717-1678296640-930416009\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678296652.235995003?tid=0.0.2015717-1678296640-930416009<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker transfers 9,000 USDC[hts] to HashPort Bridge<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678350360.193044504?tid=0.0.2015717-1678350340-965277504\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678350360.193044504?tid=0.0.2015717-1678350340-965277504<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 18,999 USDC[hts] and 18,999 USDT[hts] from Pangolin Contract 1<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678351699-768949791\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678351699-768949791<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 38,999 USDC[hts] and 38,999 USDT[hts] from Pangolin Contract 1<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678351720-769566523\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678351720-769566523<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker transfers 57,998 USDC[hts] to HashPort Bridge<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678351949.709515968?tid=0.0.2015717-1678351926-753743020\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678351949.709515968?tid=0.0.2015717-1678351926-753743020<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 0.00000001 WHBAR from Pangolin Contract 2<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678353898-994119518\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678353898-994119518<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 165,000 WHBAR from Pangolin Contract 2<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678354038.265016005?tid=0.0.2015717-1678354026-839531487\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678354038.265016005?tid=0.0.2015717-1678354026-839531487<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 20,000 USDC[hts] and 165,000 WHBAR from Pangolin Contract 2<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678354145-559706938\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678354145-559706938<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 100,000 USDC[hts] and 1,650,000 WHBAR from Pangolin Contract 2<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678354301-249281606\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678354301-249281606<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker swaps 1,650,000 WHBAR for native HBAR (BURN)<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678355241-437626974\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678355241-437626974<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker transfers 1,600,000 HBAR to exchange (without memo)<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678355493.196910382?tid=0.0.2015717-1678355481-495505905\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678355493.196910382?tid=0.0.2015717-1678355481-495505905<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker transfers 50,000 HBAR to exchange<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678355872.464304795?tid=0.0.2015717-1678355859-165367604\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678355872.464304795?tid=0.0.2015717-1678355859-165367604<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker receives 100,000 USDC[hts] and 1,650,000 WHBAR from Pangolin Contract 2<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678356542-610671579\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678356542-610671579<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker swaps 1,650,000 WHBAR for native HBAR (BURN)<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678356562-608926695\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transactionsById\/0.0.2015717-1678356562-608926695<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker transfers 500,000 HBAR to exchange<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678356652.295369824?tid=0.0.2015717-1678356638-323550842\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678356652.295369824?tid=0.0.2015717-1678356638-323550842<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker transfers 500,000 HBAR to exchange<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678356917.833889003?tid=0.0.2015717-1678356905-115689684\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678356917.833889003?tid=0.0.2015717-1678356905-115689684<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">Attacker transfers 650,000 HBAR to exchange<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/hashscan.io\/mainnet\/transaction\/1678357900.255395829?tid=0.0.2015717-1678357887-685718795\" target=\"_blank\">https:\/\/hashscan.io\/mainnet\/transaction\/1678357900.255395829?tid=0.0.2015717-1678357887-685718795<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\">\n<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>On Thursday, March 9, an attacker exploited the Smart Contract Service code of the Hedera mainnet to transfer Hedera Token Service (HTS) tokens held by certain DEXs\u2019 accounts to the attacker\u2019s own account. The following is a summary of the attack: how it happened, steps taken to pause the attack and then permanently prevent it from happening again.<\/p>\n","protected":false},"author":10,"featured_media":16867,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[1],"tags":[],"ppma_author":[43],"class_list":["post-15759","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Analysis &amp; Remediation of the Precompile Attack on the Hedera Network | Hedera<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analysis &amp; Remediation of the Precompile Attack on the Hedera Network | Hedera\" \/>\n<meta property=\"og:description\" content=\"On Thursday, March 9, an attacker exploited the Smart Contract Service code of the Hedera mainnet to transfer Hedera Token Service (HTS) tokens held by certain DEXs\u2019 accounts to the attacker\u2019s own account. The following is a summary of the attack: how it happened, steps taken to pause the attack and then permanently prevent it from happening again.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/\" \/>\n<meta property=\"og:site_name\" content=\"Hedera\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-11T00:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-08T18:43:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2400\" \/>\n\t<meta property=\"og:image:height\" content=\"1256\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Hedera Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/\"},\"author\":{\"name\":\"Hedera Team\",\"@id\":\"https:\/\/hedera.com\/#\/schema\/person\/2dc6146f9f20a44d3de58c834d52e9f4\"},\"headline\":\"Analysis &#038; Remediation of the Precompile Attack on the Hedera Network\",\"datePublished\":\"2023-03-11T00:00:00+00:00\",\"dateModified\":\"2025-12-08T18:43:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/\"},\"wordCount\":1886,\"publisher\":{\"@id\":\"https:\/\/hedera.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2.png\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/\",\"url\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/\",\"name\":\"Analysis & Remediation of the Precompile Attack on the Hedera Network | Hedera\",\"isPartOf\":{\"@id\":\"https:\/\/hedera.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2.png\",\"datePublished\":\"2023-03-11T00:00:00+00:00\",\"dateModified\":\"2025-12-08T18:43:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#primaryimage\",\"url\":\"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2.png\",\"contentUrl\":\"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2.png\",\"width\":2400,\"height\":1256},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/hedera.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analysis &#038; Remediation of the Precompile Attack on the Hedera Network\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hedera.com\/#website\",\"url\":\"https:\/\/hedera.com\/\",\"name\":\"Hedera\",\"description\":\"Hello future\",\"publisher\":{\"@id\":\"https:\/\/hedera.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hedera.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/hedera.com\/#organization\",\"name\":\"Hedera\",\"url\":\"https:\/\/hedera.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hedera.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/hedera.com\/wp-content\/uploads\/2025\/09\/hedera_logo.png\",\"contentUrl\":\"https:\/\/hedera.com\/wp-content\/uploads\/2025\/09\/hedera_logo.png\",\"width\":500,\"height\":375,\"caption\":\"Hedera\"},\"image\":{\"@id\":\"https:\/\/hedera.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analysis & Remediation of the Precompile Attack on the Hedera Network | Hedera","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/","og_locale":"en_US","og_type":"article","og_title":"Analysis & Remediation of the Precompile Attack on the Hedera Network | Hedera","og_description":"On Thursday, March 9, an attacker exploited the Smart Contract Service code of the Hedera mainnet to transfer Hedera Token Service (HTS) tokens held by certain DEXs\u2019 accounts to the attacker\u2019s own account. The following is a summary of the attack: how it happened, steps taken to pause the attack and then permanently prevent it from happening again.","og_url":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/","og_site_name":"Hedera","article_published_time":"2023-03-11T00:00:00+00:00","article_modified_time":"2025-12-08T18:43:27+00:00","og_image":[{"width":2400,"height":1256,"url":"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2.png","type":"image\/png"}],"author":"Hedera Team","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#article","isPartOf":{"@id":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/"},"author":{"name":"Hedera Team","@id":"https:\/\/hedera.com\/#\/schema\/person\/2dc6146f9f20a44d3de58c834d52e9f4"},"headline":"Analysis &#038; Remediation of the Precompile Attack on the Hedera Network","datePublished":"2023-03-11T00:00:00+00:00","dateModified":"2025-12-08T18:43:27+00:00","mainEntityOfPage":{"@id":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/"},"wordCount":1886,"publisher":{"@id":"https:\/\/hedera.com\/#organization"},"image":{"@id":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#primaryimage"},"thumbnailUrl":"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2.png","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/","url":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/","name":"Analysis & Remediation of the Precompile Attack on the Hedera Network | Hedera","isPartOf":{"@id":"https:\/\/hedera.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#primaryimage"},"image":{"@id":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#primaryimage"},"thumbnailUrl":"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2.png","datePublished":"2023-03-11T00:00:00+00:00","dateModified":"2025-12-08T18:43:27+00:00","breadcrumb":{"@id":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#primaryimage","url":"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2.png","contentUrl":"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2.png","width":2400,"height":1256},{"@type":"BreadcrumbList","@id":"https:\/\/hedera.com\/blog\/analysis-remediation-of-the-precompile-attack-on-the-hedera-network\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hedera.com\/"},{"@type":"ListItem","position":2,"name":"Analysis &#038; Remediation of the Precompile Attack on the Hedera Network"}]},{"@type":"WebSite","@id":"https:\/\/hedera.com\/#website","url":"https:\/\/hedera.com\/","name":"Hedera","description":"Hello future","publisher":{"@id":"https:\/\/hedera.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hedera.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/hedera.com\/#organization","name":"Hedera","url":"https:\/\/hedera.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hedera.com\/#\/schema\/logo\/image\/","url":"https:\/\/hedera.com\/wp-content\/uploads\/2025\/09\/hedera_logo.png","contentUrl":"https:\/\/hedera.com\/wp-content\/uploads\/2025\/09\/hedera_logo.png","width":500,"height":375,"caption":"Hedera"},"image":{"@id":"https:\/\/hedera.com\/#\/schema\/logo\/image\/"}}]}},"featured_image_src":"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2-600x400.png","featured_image_src_square":"https:\/\/hedera.com\/wp-content\/uploads\/2025\/12\/HH_Analysis-and-Remediation-of-Precompile-Attack-on-the-Hedera-network-2-600x600.png","author_info":{"display_name":"Hedera Team","author_link":"https:\/\/hedera.com\/blog\/author\/hedera-team\/"},"authors":[{"term_id":43,"user_id":10,"is_guest":0,"slug":"hedera-team","display_name":"Hedera Team","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/7ed01931dc9498365746508c4ca49ed0507ef65e04e0b82ffe88c50ef9242b1d?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":""}],"_links":{"self":[{"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/posts\/15759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/comments?post=15759"}],"version-history":[{"count":0,"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/posts\/15759\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/media\/16867"}],"wp:attachment":[{"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/media?parent=15759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/categories?post=15759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/tags?post=15759"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/hedera.com\/wp-json\/wp\/v2\/ppma_author?post=15759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}