The Seneca team is “presently engaging with security professionals to examine the flaw” and has asked users to remove their approvals for the impacted contracts.
Seneca Protocol, a decentralized finance (DeFi) lending platform and stablecoin issuer, announced the incident on its official X account on February 28.
Cointelegraph has learned that blockchain analytics company CertiK has put the losses at $6.4 million so far.
The Seneca team is “presently engaging with security professionals to examine the flaw” and has asked users to remove their approvals for the impacted contracts.
The Seneca Protocol is a decentralized finance program that lets users manufacture and borrow SenecaUSD, the protocol’s native stablecoin, using a variety of cryptocurrencies as collateral.
From a Seneca collateral pool, an account with the last 42DC was able to withdraw about 1,385.23 Pendleton Kelp restaked Ether (PT Kelp rsETH) via the “performOperations” function, according to blockchain data.
So, in three separate transactions, this account traded these tokens for almost $4 million worth of Ether (ETH).
After these trades, the account moved 717.04 ETH derivative tokens from different pools of collateral and traded them for ETH.
This is because of a vulnerability in the protocol’s “performOperations” function, which CertiK claims allowed for the malicious execution of these transactions.
Any user account may call the function with the OPERATION_CALL action parameter because of the flaw. This means the criminal may “make external calls to any address since the callee and callData are entirely controlled by the attacker.”
As a result, claims CertiK, the offender was able to withdraw money from the collateral pool that it did not own.
Spreek, a blockchain investigator who also informed users about the X hack, described a “serious vulnerability.”
Removing permissions for the compromised addresses was Spreek’s recommendation. The Seneca contracts have inaccessible stop and unpause methods because they are marked as “internal,” according to security researcher ddimitrov22, who claims that Seneca has an extra vulnerability that prevents developers from pausing them.
The development team has acknowledged the assault and promised an update “shortly” when they finish their investigation.
Even in the year 2024, Web3 users are still vulnerable to hacks and attacks. Hackers stole $9.7 million from Axie Infinity co-founder Jeff “Jihoz” Zirlin’s personal wallets on February 23. Meanwhile, 457 ETH was stolen from the DeFi protocol Blueberry on the very same day.
Also Read: UNISWAP L2 Hits $200 Billion Milestone in Transaction Volume
