Concentric liquidity manager defrauded of $1.8M in private key hack.
According to the protocol's official X tag, the liquidity manager application Concentric was used on Arbitrum. The attacker used a “social engineering attack” to compromise the protocol's deployer account's private key, which was then used to “modify vaults, mint new LP tokens, and then drain their holdings,” the team said.
Concentric is urging users to delete authorizations from all vault addresses they list in the protocol documentation.
Exploiter is now targeting approvals on Vault, please revoke all approvals at this address: https://t.co/KlZo5PqjlI
— Concentric.fi (@ConcentricFi) January 22, 2024
According to a report from blockchain security platform CertiK, more than $1.8 million has been lost in the attack so far. The attacker's wallet is linked to the wallet that carried out the OKX decentralized exchange exploit on December 13, CertiK said, suggesting that both attacks may have been carried out by the same person or group.
The exploit wallet functions as an administrator mint on the concentric contract, issuing 0.001 CONE-1 tokens. They then call it “burning” to redeem CONE-1 tokens to get money from the Algebra pool. This process is repeated several times, allowing the attacker to obtain many ERC-20 tokens, which are then converted to Ether (ETH).
#CertiKSkynet Alert
We saw an exploit on Arbitrum by @ConcentricFi
Exploit wallet linked to OKX Exploiter.
Initial losses to ~$1.6mhttps://t.co/t9liWxo3jz
— CertiK Alert (@CertiKAlert) January 22, 2024
Concentric said the team has started an investigation and will issue a post-mortem report as soon as possible. In the report, the team presents a plan to address the vulnerability. “Our team is fully committed to resolving this issue and restoring the integrity of the Concentric protocol,” Concentric said.
Related: CoinEx hack: Hacked private keys lead to $70M theft
Liquidity management protocols are used to set minimum and maximum prices and balance liquidity pools in a decentralized exchange (DEX). Uniswap in 2010 They began to grow in popularity after the release of its “enhanced liquidity” feature in 2021, which allowed liquidity providers to set lower and higher prices at which their assets could be sold. This has made liquidity provision more complex, forcing some users to employ governance protocols to manage their assets.
Another liquidity manager, Gamma Protocol, was attacked on January 4, leaving nearly $500,000 in smart contract exposure. The two attacks used different methods and do not appear to be related.
