The Blueberry decentralized finance (DeFi) protocol has taken decisive action by pausing its lending and leverage operations following the detection of a mysterious exploit. The protocol swiftly urged users to withdraw their funds from Blueberry lending markets upon uncovering the exploit, striving to mitigate potential damage.
In a post dated February 23 on X (deleted now), the Blueberry Protocol Foundation disclosed the ongoing exploit and advised users to withdraw their funds promptly while efforts were made to halt the protocol. Amidst the chaos, users encountered difficulties with fund withdrawals, exacerbated by the unavailability of the front end.
The website and app experienced a brief outage, displaying an application error message: “A client-side exception has occurred.”
Approximately 30 minutes later, Blueberry confirmed the successful pause of the protocol, with the website subsequently restored.
UPDATE: The protocol has been paused. Funds currently deposited are no longer exploitable and we will update as we have more information https://t.co/otsa1WZMEj
— Blueberry Protocol Foundation 🫐🫐 (@blueberryFDN) February 23, 2024
Further updates from Blueberry revealed that the drained funds had been preemptively secured by c0ffeebabe.eth and transferred to the Blueberry multisig wallet.
Further details of the exploit:
All of the drained funds were front run by @ coffeebabe_eth (not real twitter, not on socials) and are now safe in the Blueberry multisig, less the validator payment.
The team is in contact with security and comms professionals and will attempt…
— Blueberry Protocol Foundation 🫐🫐 (@blueberryFDN) February 23, 2024
Although 457 Ether was initially drained, the white hat managed to salvage 366 ETH and return it to the multisignature wallet.
To quickly reiterate:
Deposited funds are currently safe. Only three markets were affected and the large majority was already returned.Total validator payment (loss) is 91 ETH. We are getting in touch and aim for a full repayment to users as the goal. Protocol is paused. https://t.co/uaQKwS9Iik
— Blueberry Protocol Foundation 🫐🫐 (@blueberryFDN) February 23, 2024
The protocol team assured users of the safety of deposited funds, with only three markets affected and the majority of funds already recovered.
Blueberry protocol, facilitating decentralized lending and leveraged borrowing up to 20x collateral value, boasted a total value locked (TVL) of $4.5 million, according to DefiLlama. However, this figure decreased to $3.15 million following the exploit.
c0ffeebabe.eth gained prominence for returning approximately 2,879 ETH, valued at around $5.4 million, to the DeFi protocol Curve Finance amidst a hack in July 2023.
Ironically, Blueberry had published a “security overview” on February 22, emphasizing its commitment to a security-first approach and risk mitigation (deleted now).
The protocol claimed to have undergone audits by Hacken and Sherlock, along with two independent token security audits. However, the tweet promoting the security review has since been removed from Blueberry’s X feed.