Summary
LendHub was a decentralized cross-chain lending protocol operating primarily on the Huobi Eco Chain (HECO) and Binance Smart Chain (BSC). On January 12, 2023, the protocol suffered an approximately $6 million exploit caused by an operational failure to remove a deprecated IBSV cToken from its market, allowing an attacker to drain funds by arbitraging the two coexisting token versions. The protocol's TVL collapsed to near zero following the exploit, stolen funds were laundered through Tornado Cash, and the protocol is no longer considered operational.
Connected Entities
1 entities · 10 linked investigationsTimeline(8 events)
2021-05-06
LendHub launched on Huobi Global and promoted as HECO chain's fastest-growing lending protocol.
2023-01-11
The exploiter received 100 ETH from Tornado Cash on Ethereum and began staging the attack.
2023-01-12
LendHub exploited for approximately $6 million via deprecated IBSV cToken arbitrage vulnerability. TVL collapsed from $6 million to $90,305.
2023-01-13
LendHub acknowledged the exploit via Twitter. SlowMist, CertiK, and Halborn published analyses.
2023-01-12
Over 1,100 ETH (~$1.79 million) transferred to Tornado Cash within hours of the exploit.
2023-02-27
PeckShield and Beosin alert that a further 2,415 ETH (~$3.85 million) was moved to Tornado Cash from the attacker wallet, bringing the total laundered amount to approximately $5.7 million.
2024-11-10
HECO chain announced official retirement; users urged to convert and redeem assets by January 10, 2025.
2025-01-10
HECO chain redemption deadline passed. LendHub TVL reached $0 on DefiLlama; protocol considered effectively defunct.
Decision Log
- hash: 5Qb6MVE8yiKpEmsZmc8YZYXZRy85c8StKToMdJHayoD4
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 5/4/2026, 2:54:45 AM
last updated: 5/28/2026, 4:22:06 PM
avoid.net — verified advice for a post-truth world