Decentralized finance protocol Blueberry has managed to pause its protocol after a mad dash to limit potential damage from an “ongoing exploit” on Friday.
In a Feb. 23 post on X, the Blueberry Protocol Foundation reported that it was suffering an “ongoing exploit.” and advised users to withdraw their funds from Blueberry lending markets as it worked on “pausing the protocol as quickly as possible.”
Adding to the chaos, users reported having issues withdrawing with Blueberry noting that the front end was alsodown.
“The front end is also down, so if you are able to interact directly with the contracts to withdraw, please do.”
The website and app went offline briefly with the following application error “A client-side exception has occurred.”
Around 30 minutes later, Blueberry confirmed it had been able to pause the protocol, while the website appears to be back up and running.
“Funds currently deposited are no longer exploitable and we will update as we have more information.”
UPDATE: The protocol has been paused. Funds currently deposited are no longer exploitable and we will update as we have more information https://t.co/otsa1WZMEj
— Blueberry Protocol Foundation (@blueberryFDN) February 23, 2024
Another update was later added by Blueberry stating that all of the drained funds have been front-run by c0ffeebabe.eth and are now safe in the Blueberry multisig, less the validator payment.
The team is in contact with security and comms professionals and will attempt to contact the validator to return the remaining 91 ETH.
A total of 457 ETH was initially drained, but 366 ETH was rescued by the so-called white hat and returned to the multi-signature wallet. The protocol team reiterated:
Deposited funds are currently safe. Only three markets were affected and the large majority was already returned. Total validator payment (loss) is 91 ETH. We are getting in touch and aim for a full repayment to users as the goal. Protocol is paused.
To quickly reiterate:
— Blueberry Protocol Foundation (@blueberryFDN) February 23, 2024
Deposited funds are currently safe. Only three markets were affected and the large majority was already returned.
Total validator payment (loss) is 91 ETH. We are getting in touch and aim for a full repayment to users as the goal. Protocol is paused. https://t.co/uaQKwS9Iik
Related: Ethical hacker retrieves $5.4M for Curve Finance amid exploit
Blueberry protocol is a decentralized lending market enabling lending and leveraged borrowing up to 20x of the collateral value.
According to DefiLlama it had a total value locked of $4.5 million and was forked from the Compound DeFi protocol. The TVL had fallen to $3.15 million after the exploit attempt.
C0ffeebabe shot to infamy when she took around 2,879 Ether, worth around $5.4 million, from an exploiter and returned it to the decentralized finance (DeFi) protocol Curve Finance amid its hack in July 2023.
Ironically, Blueberry posted a “security overview” on Feb. 22 claiming that it “starts with a security-first approach to development and risk mitigation to prevent any internal risk brought on by protocol activity.”
It also claims to have been audited by Hacken and Sherlock and claims to have carried out two independent token security audits, however, the tweet promoting the "security review" had disappeared from Blueberry's X feed.
Should crypto projects ever negotiate with hackers? Probably