Update Feb. 29, 10:17 UTC: CertiK’s Joe Green has provided additional comments for this article.
Seneca, a stablecoin protocol, has decided to reward the exploiter who managed to gain access to over $6.4 million in digital assets by exploiting a bug in the protocol’s smart contract. In an effort to incentivize the return of the stolen funds, Seneca is offering a 20% bounty to the exploiter.
On Feb. 28, several blockchain security firms, including CertiK, identified the exploit in the stablecoin protocol. CertiK promptly alerted users about the vulnerability and advised them to revoke approvals from a specific address on both the Ethereum and Arbitrum networks. Initial estimates suggested losses of $3 million, but it was later discovered that the exploiter had taken over 1,900 Ether (ETH), equivalent to approximately $6.4 million.
CertiK’s security analysts explained that the exploit occurred due to a critical vulnerability in the smart contract known as a “call” vulnerability. This vulnerability allowed the attacker to make external calls to any address. Joe Green, the head of CertiK’s quick response team, emphasized the importance of paying attention to external calls, especially when upgrading contracts. Although a contract may be secure during its deployment, it can become vulnerable in certain instances. Green shared an example, stating, “A entrusts B; B entrusts C; C entrusts D, but a new upgrade may break when A is not supposed to trust D.”
Seneca has stated that it is currently collaborating with specialists to investigate the incident. The protocol has also offered a $1.2 million reward for the return of the stolen funds. In an on-chain message, Seneca requested that the hacker return 80% of the stolen funds to a specified Ethereum address, allowing the hacker to keep the remaining 20%.
Seneca assured the hacker that it is working with security providers and law enforcement to track the funds and urged the hacker to return them to avoid legal consequences. The protocol emphasized the importance of acting promptly and requested that the funds be returned as soon as possible to prevent further legal action.
Shortly after Seneca’s message, the hacker returned approximately 1,537 ETH, valued at around $5.3 million, to the specified wallet address. The exploiter decided to keep 300 ETH, worth approximately $1 million, and accepted the 20% bounty offered by Seneca. The hacker subsequently transferred the ETH to two different addresses.
Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks