A hacker managed to steal over $6 million from the decentralized finance (DeFi) protocol Delta Prime by minting an arbitrarily large number of deposit receipt tokens.
Attack Details
According to data from block explorer Arbiscan, the attacker minted over 115 duovigintillion Delta Prime USD (DPUSDC) tokens in the initial attack, which is more than 1.1*10^69 in scientific notation. DPUSDC is a deposit receipt for USDC stablecoin held at Delta Prime, intended to be redeemable at a 1:1 ratio for USDC. Despite minting such a large number of DPUSDC tokens, the attacker only burned 2.4 million of them, receiving $2.4 million USDC in exchange.
Hacker's Methods
The attacker then repeated these steps for other deposit receipt tokens, minting over 1 duovigintillion Delta Prime Wrapped Bitcoin (DPBTCb), 115 octodecillion Delta Prime Wrapped Ether (DPWETH), 115 octodecillion Delta Prime Arbitrum (DPARB), and many other deposit receipt tokens, ultimately redeeming a tiny fraction to receive over $1 million in Bitcoin, Ether, Arbitrum, and other tokens. Blockchain security specialist Chaofan Shou estimated that $6 million in assets have been stolen so far.
Response and Consequences
The attacker was able to mint these deposit receipt tokens by first gaining control of an admin account ending in b1afb, likely by stealing the developer’s private key. Using this account, they called an 'upgrade' function on each of the protocol’s liquidity pool contracts, allowing each proxy to point to a malicious contract created by the attacker. In response, Delta Prime acknowledged the attack through an X post, stating that the Avalanche version, DeltaPrime Blue, is not vulnerable and that the protocol’s insurance will cover potential losses where possible.
The Delta Prime attack illustrates the risks involved with DeFi protocols using upgradeable contracts. The Web3 ecosystem aims to prevent such vulnerabilities, but the debate continues among developers about when and how to allow upgrades in contracts.
Comments