Table of Contents
- 1 Introduction
- 2 Summary of the Exploit
- 3 Technical Breakdown
- 4 Immediate Response and Investigation
- 5 Contextualizing the Attack
- 6 Attack and Follow-Up Movements
- 7 Addresses Associated with the Exploit
- 8 Conclusion
On Aug 18, DeFi @ExactlyProtocol, operating on Optimism, encountered a breach resulting in a loss of around $7.3M. A loophole in the DebtManager contract allowed hackers to tweak the market address and evade integral permit checks, leading to the theft of users’ $USDC.
Summary of the Exploit
Attackers made use of an
insufficient_check vulnerability in Exactly Protocol’s DebtManager contract. By injecting a fraudulent market address, they successfully skirted the protocol’s permit checks. This opened a door to activate a malicious deposit function, leading to the theft of users’ $USDC. Subsequently, they liquidated users’ assets for illicit gains.
The primary issue was in the
DebtManager contract of the Exactly Protocol. It lacked rigorous validation for the market address input.
- Manipulated the vulnerability in the `DebtManager` contract
- Inserted a counterfeit market contract address, evading the `permit` checks
- Leveraged this unauthorized access to initiate a harmful deposit function, culminating in the theft of users’ $USDC
- Cashed out user assets to make illicit profits
Demonstrating profound expertise, the attacker not only bypassed the permit check in the
DebtManager contract but also tampered with the
_msgSender to impersonate a victim. Using an untrusted external call, they accessed the
crossDeleverage function again, stripping collaterals from the
Immediate Response and Investigation
Upon noticing the breach, Exactly Protocol acted swiftly. They acknowledged the incident and started an investigation. Operations were momentarily halted, but provisions were made to facilitate user asset withdrawals.
The protocol is now fully operational, and notably, no liquidations took place. Efforts are ongoing to recover the stolen funds, including establishing communication with the culprits.
Contextualizing the Attack
This breach occurred during a wider cryptocurrency market downturn. Established coins, namely XRP, Litecoin (LTC), and Bitcoin Cash (BCH), experienced significant drops. Bitcoin briefly dipped to $25,200 before rallying.
DeFi Sector Vulnerabilities
The Exactly Protocol incident isn’t an isolated case in the DeFi world. Security lapses, especially surrounding technologies like cross-chain bridges, have emerged. Hundred Finance on the Optimism network also faced a hack earlier, resulting in a loss of $7 million in crypto assets.
Attack and Follow-Up Movements
For those interested in a deeper dive, the blockchain transactions tied to the exploit are:
Furthermore, the attacker initially secured funds from TornadoCash and bridged them to address 0xe4f3 on Optimism via the Optimism Bridge. The exploit contract was then launched by 0xe4f3, with addresses 0x3747 and 0x4171 executing the attack. Profits were converted to roughly 4324 Ether.
As of now, 1500 Ether has transitioned back to Ethereum via the Across Bridge. Meanwhile, 2833 Ether is en route back to Ethereum through the Optimism Bridge, though the transaction is in the Challenge Period. Surveillance continues on the attacker’s address.
Addresses Associated with the Exploit
The DeFi arena, bursting with potential, also carries inherent risks. Rigorous contract audits, multi-layered security measures, and user education are paramount. As the DeFi world evolves, security must concurrently advance to safeguard a resilient ecosystem. Stakeholders are urged to remain cautious and informed.
An ineffective smart contract audit by unskilled auditors often result into costly exploits. At ImmuneBytes, we believe in treating every vulnerability (minor or critical) with utmost attention and our team of exceptionally adept and experienced auditors ensures that no shortcomings can escape their piercing eyes.