Hegic Hack
Incident Overview
The platform discovered a mistake in one of its smart contracts: ‘options.length' rather than ‘optionIDs.length.' This resulted in no liquidity for expiring contracts since user assets were locked whenever they did not utilize their options. Hegic spent $48K to fix the problem and reimburse impacted users.
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Hegic, these are the critical security checks that could have prevented this incident (April 2020).
- Verify all logic paths related to Other are guarded by proper access controls and input validation
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialFunds Recovery
Recovered
$48K
Net Loss
0
Security Audit History
- Trail of Bits Report
Sources & References
Learn to Prevent the Next Hegic
The Hegic hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.