Data from Etherscan reveals that the attack occurred on April 23 for nearly one hour, from 05:39 to 06:29 UTC. During the attack, multiple calls triggered outflows from the victim’s address to several wallets belonging to the hackers. Some of these addresses have already been identified as phishing wallets by Etherscan. The victim lost over 1.6 billion ANDY tokens, valued at $162,400, and 17,913 USDC.
One of the attacker’s addresses has retained the loot, while the second address, which received all the ANDY tokens, swiftly exchanged them for WETH on Uniswap before moving the WETH to a new address. The attack likely exploited the victim’s interactions with smart contracts. Malicious actors often create contracts that appear to perform a standard defi operation but embed calls that, for example, approve the transfer of the user’s tokens to the attacker. The perpetrators promptly funneled the assets to the Ox protocol for liquidation.