Update Feb. 29, 10:17 UTC: This article has been updated to add comments from CertiK's Joe Green.
Stablecoin protocol Seneca has offered a 20% bounty to the exploiter who gained access to at least $6.4 million in digital assets after exploiting an approval mechanism bug in the protocol’s smart contract.
On Feb. 28, multiple blockchain security firms flagged the exploit on the stablecoin protocol. Companies like CertiK warned users about the exploit, urging them to revoke approvals from an address on the Ethereum and Arbitrum networks. Initial estimates of the losses were at $3 million, but it was later found that over 1,900 Ether (ETH), worth about $6.4 million, were taken from the exploit.
Security analysts at CertiK explained that the exploit happened due to a critical “call” vulnerability in the protocol’s smart contract. Joe Green, the head of CertiK's quick response team, told Cointelegraph that this vulnerability allowed the attacker to perform external calls to any address. Green explained:
In this incident, an attacker was able to perform arbitrary external calls to transfer assets from addresses that had granted approvals to the vulnerable contracts directly to themselves.
Green added that a key takeaway from this incident is to pay attention to any external calls, particularly when upgrading contracts. This means that while a contract may be secure during its deployment, it may break on certain instances. “A entrusts B; B entrusts C; C entrusts D, but a new upgrade may break when A is not supposed to trust D,” Green shared.
Related: Shido token plummets 94% as exploiter drains Ethereum staking contract
Seneca said it is working with specialists to investigate what happened. It also offered a $1.2 million bounty for the return of the stolen funds. In an on-chain message on Feb. 29, Seneca asked the hacker to return 80% of the stolen funds to an Ethereum address, allowing the hacker to keep 20%.
Within the message, Seneca said it is collaborating with security providers and law enforcement to trace the funds. It urged the hacker to return the funds to avoid legal consequences. “Acting promptly is crucial, so we kindly request that you return the funds as soon as possible to avoid any further legal action,” it wrote.
Hours after Seneca’s message, the hacker returned about 1,537 ETH, worth around $5.3 million, to the wallet address Seneca specified. The exploiter kept 300 ETH, worth around $1 million, and accepted the 20% bounty offered by Seneca. The exploiter then transferred the ETH to two different addresses.
Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks