Home Web3 SecurityCrypto Hacks & Exploits Atlantis Loans Hack, June 10, 2023: Detailed Hack Analysis

Atlantis Loans Hack, June 10, 2023: Detailed Hack Analysis

by ImmuneBytes
Atlantis Loans Hack, June 10, 2023: Detailed Hack Analysis


On June 10, 2023, the Atlantis Loans platform fell victim to a smart contract hack, exploiting a governance vulnerability. The hack resulted in a substantial financial loss of approximately $1M USD.

Hack Details:

Attacker address:

Attack Transaction:

Malicious contract:

Chronological Events and Mechanism of the Attack

Status Before June 7

Atlantis Loans was abandoned by its developers in early April. This absence resulted in a lowered guard against potential threats.

The platform’s UI was paid up for two years, and only governance mechanisms could implement changes.

An attack attempted on April 12 failed due to insufficient votes.

The attacker published and then voted through proposal 52, targeting the GovernorBravo contract. This proposal was designed to give them administrative control over the token’s proxy contract.

GovernorBravo, by design, only verified the eta parameter (unlock time) during the proposal queue, a flaw that was exploited.

June 10 (Main Attack Launched)

Hack Txn: https://bscscan.com/tx/0x3b0df86f548946d9dda9fb4177ae27bf33f06315c73ea50945ab9e53a041d7e1

Post 172,800 seconds (2 days) of lockup:

  • The attacker successfully navigated the waiting period.
  • They subsequently altered the existing contract logic, embedding a backdoor within their malicious contract: 0x613cc544053812ab026d60361212cdb67b46f42f.

Funds Stolen

Using the backdoor, the attacker siphoned tokens from addresses with active smart contract approvals tied to Atlantis contracts, directing these to their own wallet. This was enabled largely by the “approvals” users had granted.

Vulnerabilities and Root Cause Analysis

  • Governance Oversight:
    A primary flaw lies in Atlantis Loans’ governance structure. Exploiting the GovernorBravo contract, which only focused on the eta parameter was pivotal.
  • Smart Contract Approvals:
    By granting permissions, users inadvertently jeopardized their own assets. Such approvals meant tokens could be accessed and redirected in an unauthorized manner.
  • Abandoned Project Oversight:
    The lack of active oversight and monitoring due to the project’s abandonment provided an opportunity for the attacker. The passage of proposal 52 without contention is reflective of this void.
  • Historical Precedents:
    Platforms like Beanstalk and Swerve had faced similar threats. These incidents should’ve served as a cautionary tale about vulnerabilities inherent in smart contract governance, especially with decreased monitoring.

Contracts at Risk

Following is the list of contracts that were potential targets in this hack, and users were advised to revoke permissions for these contracts:

0x7c0697155617b7a797cb7517d483dbbdb17089cf = ALT0x24ce0e8a115b850dd9f8f28125534f102059a307 = ZIL
0x4e9bF21Ce718Dde4be2E0F5b167181b8AdAd12F6 = ETH0xd47084cc0e974e5b88958fca5fafb7f7726c4058 = VAI
0x1e3C741e1d94b88871dCE2A9b55CC2b2b10AD04f = MDX0x24ce0E8a115b850DD9f8f28125534f102059A307 = aZIL
0x350bD6EFE303F5D6E10bD9e9d6347bc4a3E708c0 = GMT0xd47084cC0e974e5B88958FCA5FaFB7f7726C4058 = aVAI
0x2C5056167cb2797a7D82996800F896D4F0684343 = DOT0x7c0697155617b7A797CB7517d483DbBdB17089CF = aATL
0x5c81c0f55A15Dbc97749A83c843044702768A2A2 = XVS0x6A3EbE48a297a61048ddbeB0eF62da4E35eF11f2 = C98
0x2F4ba3A96B9B5b660C78310FddE4987c09a2eEba = WOO0x8DF3719eB4C9F17ecF30bA298CC2Da7c88162894 = TRX
0x14f235Bb338804D194679BEF1eD7F619F4fE684F = ATOM0x20c7E6eb3FaB3990A0DB8b2EEd57FF7d799603f9 = AVAX
0x02A7dE4598DA1F18CB6AB85D342b4688FEC66E6B = AXS0x96FfC0C6e91FD65460Bd1dd180500fA5bDa11940 = XTZ
0xC182Ea25C72cE276F80748497775499059F6c74e = XRP0x26458660BC2f9112e43De7f0DAE003298c6a6DC4 = SOL
0xd7C38eb724a4610A9fB78F3f9F6C400577e30AC2 = CAKE0x558B96Ee93Ea9C7ec9839BEAfab641d75F94E9a3 = USDC
0x219db7E6F8A609645E8559F8553A48C6e6b17f57 = ADA0xfEAd9619e88464e5aD1Ea9Df458dcc147F03ea0C = USDT
0xCc7Fc8666F6e62cB44aa781de841eE6Be3BbE54c = LINK0x788A791FF9641A5e1fF3596487b120c348bE1Db3 = DAI
0x59123a930E52b52EdB27F91135253331F36cd87c = BTC0x0503FEaa5854E55E5607e40371e2a1b0d1B9df7F = BUSD
0xe7e304f136c054ee71199efa6e26e8b0dae242f3 = ALT

Historical Context

  • Beanstalk suffered a flash loan-enabled governance attack in the previous year, leading to a loss of $181M.
  • Swerve, a Curve-clone, faced an unsuccessful attack via governance in March. This attack would have transferred $1.3M from a liquidity pool had it succeeded.

Mitigation and Best Practices

  1. Access Control: Be vigilant when assigning administrative privileges within contracts. Implement robust access control mechanisms.
  2. Multi-signature Schemes: These require multiple entities to approve significant actions, reducing the potential for a single point of compromise.
  3. Regular Audits: Ensure smart contracts are frequently audited by professionals to check for logical vulnerabilities.
  4. Revoke Old Approvals: Users should be proactive in revoking permissions to old or unused contracts to prevent unauthorized access.
  5. Monitoring Governance: Even if projects are discontinued, governance processes should be monitored to prevent malicious activities.


The Atlantis Loans hack sheds light on the intricate vulnerabilities present within smart contracts, especially those associated with governance.

While the technology behind smart contracts offers a plethora of benefits, it is paramount to continually evaluate, update, and monitor these contracts to ensure the security of users and the platform.

You may also like