Seneca Protocol, a decentralized finance (DeFi) lending platform and stablecoin issuer, has fallen victim to an exploit, as confirmed in a statement on the protocol’s official X account on February 28th. A report by blockchain analytics firm CertiK estimated the losses from the exploit to be around $6.4 million. The Seneca team has advised users to revoke approvals for the affected contracts and is currently collaborating with security specialists to investigate the bug.
Seneca Protocol operates as a DeFi lending app that allows users to deposit various cryptocurrencies as collateral. These collateral assets can then be used to create and borrow the protocol’s native stablecoin, SenecaUSD.
Blockchain data reveals that an account ending in 42DC managed to transfer approximately 1,385.23 Pendleton Kelp restaked Ether (PT Kelp rsETH) from a Seneca collateral pool by utilizing the “performOperations” function. Subsequently, the account exchanged these tokens for roughly $4 million worth of Ether (ETH) across three transactions. Following these swaps, the account transferred an additional 717.04 ETH derivative tokens from different collateral pools and exchanged them for ETH.
CertiK’s report stated that these transfers were carried out maliciously. This was made possible due to a flaw in the protocol’s “performOperations” function, which allows any account to call the function while specifying OPERATION_CALL as the action to be performed. This grants the attacker full control over the callee and callData, enabling them to drain funds from the collateral pool they don’t own.
Spreek, a blockchain investigator, also issued a warning on X, highlighting the exploit as a “critical vulnerability.” They advised users to revoke approvals for the addresses involved in the exploit.
Additionally, security researcher ddimitrov22 discovered another vulnerability in Seneca, which prevents developers from pausing the Seneca contracts. The pause and unpause functions in the contracts contain the keyword “internal,” making them inaccessible.
The Seneca development team acknowledged the attack in a post and assured users that they are conducting an investigation and will provide an update soon.
Unfortunately, hacks and exploits continue to pose a threat to Web3 users in 2024. Just recently, on February 23rd, Axie Infinity co-founder Jeff “Jihoz” Zirlin lost $9.7 million from a hack targeting his personal wallets. On the same day, the DeFi protocol Blueberry was also exploited, resulting in a loss of 457 ETH.