Decentralised finance (DeFi) lending platform and stablecoin issuer Seneca Protocol has fallen victim to exploitation, as stated in a Feb. 28 announcement on the protocol’s official X account.
According to a report disclosed to Cointelegraph, blockchain analytics firm CertiK has estimated the losses at $6.4 million thus far.
The Seneca team has urged users to revoke approvals for the affected contracts and has asserted that its personnel are “presently collaborating with security specialists to investigate the bug”.
Seneca Protocol is a DeFi lending application enabling users to deposit various cryptocurrencies as collateral, which can then be utilised to mint and borrow the protocol’s native stablecoin, SenecaUSD.
Blockchain data reveals that an account ending in 42DC managed to transfer approximately 1,385.23 Pendleton Kelp restaked Ether (PT Kelp rsETH) from a Seneca collateral pool by invoking the “performOperations” function.
Subsequently, this account exchanged these tokens for approximately $4 million worth of Ether (ETH) through three transactions.
Following these swaps, the account proceeded to transfer an additional 717.04 ETH derivative tokens from various collateral pools and exchanged them for ETH.
According to CertiK’s report, these transfers were maliciously executed due to a flaw in the protocol’s “performOperations” function.
The bug permits any account to invoke the function while specifying OPERATION_CALL as the action to be executed.
Consequently, the attacker gains the ability to “perform external calls to any address as the callee and callData are fully controlled by the attacker”.
READ MORE: Overdare Partners with Circle to Integrate Web3 Wallets and USDC Payouts for Gaming Creators
Hence, CertiK contends, the attacker managed to drain funds from the collateral pool not under its ownership.
Blockchain investigator Spreek also alerted users about the exploit on X, describing it as a “critical vulnerability”.
Spreek recommended that users should revoke approvals for the addresses used in the exploit.
According to security researcher ddimitrov22, Seneca suffers from an additional vulnerability preventing developers from pausing the Seneca contracts, as the pause and unpause functions within them are labelled as “internal”, rendering them inaccessible.
In their acknowledgment of the attack, the development team stated that they are currently conducting an investigation and will provide an update “shortly”.
Hacks and exploits continue to pose threats to Web3 users in 2024.
On Feb. 23, Axie Infinity co-founder Jeff “Jihoz” Zirlin lost $9.7 million due to a hack of his personal wallets. Concurrently, on the same day, DeFi protocol Blueberry was exploited for 457 ETH.
