Seneca Protocol Suffers $6.4 Million Loss following DeFi Hack Exploiting Key Vulnerabilities
Summary:
Seneca Protocol, a decentralized finance lending platform, has been exploited, resulting in an estimated loss of $6.4 million. The flaw allowing the breach lies in the protocol's "performOperations" function, enabling an attacker to drain funds from a pool they didn't own. An additional vulnerability prevents developers from pausing Seneca contracts. The development team has pledged to investigate the problem and will release an update soon.
Seneca Protocol, a decentralized finance (DeFi) lending platform and issuer of stablecoins, has fallen victim to a cyber-attack, as stated on the protocol's official account on Feb. 28. Blockchain analysis company, CertiK, has tallied the damage at $6.4 million and counting. The Seneca team has advised users to invalidate approvals for compromised contracts and affirmed that they are "presently collaborating with security experts to explore the error.โ
Seneca Protocol serves as a DeFi loaning software permitting users to deposit assorted cryptocurrencies as a surety, subsequently enabling them to create and borrow the protocol's inherent stablecoin, SenecaUSD. Blockchain records reveal that an account ending in 42DC successfully transferred roughly 1,385.23 Pendleton Kelp restaked Ether (PT Kelp rsETH) from a Seneca collateral pool via the "performOperations" function before exchanging those tokens for about $4 million in Ether (ETH).
CertiK alleges these activities to be malicious, enabled by an error in the "performOperations" function of the protocol. The flaw allows any account to activate the function while designating OPERATION_CALL as the action, hence an invasion was able to withdraw funds from the collateral pool, which it did not own.
Blockchain sleuth, Spreek, also cautioned users about the breach on X, labeling it a "grave vulnerability." Spreek advised users to revoke approvals of exploited addresses. In addition, security researcher ddimitrov22 pointed out another vulnerability hindering developers from bringing the Seneca contracts to a halt, as the pause and unpause functions carry the "internal" keyword, rendering them needless.
In response to the security breach, the development team of Seneca Protocol assured that they are undergoing an in-depth investigation and will shortly share an update. This comes amid a series of hacks plaguing Web3 users in 2024, with Axie Infinity co-founder Jeff "Jihoz" Zirlin losing $9.7 million from a hack into his personal wallets and DeFi protocol Blueberry being swindled for 457 ETH on Feb. 23.
Published At
2/29/2024 4:08:24 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.