Decentralized finance (DeFi) lending platform Seneca Protocol fell victim to an exploit, as revealed in a statement on the protocol’s official X account on February 28. According to findings from blockchain analytics firm CertiK, the losses from the exploit are estimated at $6.4 million. The Seneca team has advised users to revoke approvals for the affected contracts and is actively collaborating with security specialists to investigate the issue.
We are actively working with security specialists to investigate the approval bug found today.
In the meantime, REVOKE approvals for the following addresses:#Ethereum
PT-ezETH 0x529eBB6D157dFE5AE2AA7199a6f9E0e9830E6Dc1
apxETH 0xD837321Fc7fabA9af2f37EFFA08d4973A9BaCe34…— Seneca (@SenecaUSD) February 28, 2024
Seneca Protocol functions as a DeFi lending application enabling users to deposit various cryptocurrencies as collateral. These deposits can then be utilized to mint and borrow the protocol’s native stablecoin, SenecaUSD.
Blockchain data indicates that an account ending in 42DC managed to transfer approximately 1,385.23 Pendleton Kelp restaked Ether (PT Kelp rsETH) from a Seneca collateral pool by invoking the “performOperations” function. Subsequently, the account exchanged these tokens for approximately $4 million worth of Ether (ETH) through three transactions. Following these swaps, the account proceeded to transfer an additional 717.04 ETH derivative tokens from various collateral pools, swapping them for ETH.
CertiK’s report identifies these transfers as malicious, attributing them to a flaw in Seneca Protocol’s “performOperations” function. The bug enables any account to call the function, specifying OPERATION_CALL as the action, thereby allowing the attacker to execute external calls to any address with fully controlled call data. Consequently, the attacker managed to drain funds from the collateral pool without legitimate ownership.
Blockchain investigator Spreek also flagged the exploit on X, highlighting it as a critical vulnerability. Spreek recommended users to revoke approvals for the addresses involved in the exploit.
ADDRESSES TO REVOKE: 0xbc83f2711d0749d7454e4a9d53d8594df0377c05 (MAINNET)
0x2d99e1116e73110b88c468189aa6af8bb4675ec9 (ARBITRUM)
— Spreek (Denver 28th-5th) (@spreekaway) February 28, 2024
Security researcher ddimitrov22 noted an additional vulnerability in Seneca, which prevents developers from pausing the protocol’s contracts due to the presence of the “internal” keyword in the pause and unpause functions, rendering them uncallable.
The Seneca protocol is hacked and it cannot be paused even though it inherits the Pausable library.
This is because the `_pause` and `_unpause` functions are internal and there is no way to call them. pic.twitter.com/en0qIsayMX
— ddimitrov22 (@ddimitrovv22) February 28, 2024
In response to the attack, the development team confirmed ongoing investigations and pledged to provide updates shortly.
The incident underscores the persistent threat of hacks and exploits in the Web3 landscape in 2024. Notably, on February 23, Axie Infinity co-founder Jeff “Jihoz” Zirlin suffered a $9.7 million loss from a hack targeting his personal wallets, while on the same day, DeFi protocol Blueberry was exploited for 457 ETH.