L2s have been going through something of a rekt-naissance lately.
Exactly Protocol becomes the latest victim of this summer’s on-chain crime spree, after being hit for $7.2M.
The lending platform, based on Optimism, was targeted by an exploit which drained users' collateral.
We're actively investigating a security issue within our protocol. To ensure user safety, the protocol is temporarily paused (you can still withdraw assets). Our team is on top of this and will share more details asap.
While the losses are heavy, the collateral (heh) damage looks to have been even heavier.
Will Exactly ever financially recover from this?
This allowed the hacker to pass a fake market address, inserting the victim’s address as _msgSender, and thereby drain users’ collateral.
Exploiter address 1: 0x3747dbbcb5c07786a4c59883e473a2e38f571af9
Exploiter address 2: 0xe4f34a72d7c18b6f666d6ca53fbc3790bc9da042
Exploiter address 3: 0x417179df13ba3ed138b0a58eaa0c3813430a20e0
Attack contract: 0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d
Example attack tx: 0x3d6367de…
Of the 4324 ETH (~$7.2M) of total proceeds from the hack, 1500 ETH ($2.5M) have been bridged back to Ethereum, where they remain.
BlockSec provided the following chart illustrating the flow of funds:
As we’ve said many times before, audits are not a silver bullet.
They should be seen as just one, albeit very important, part of an overall holistic security approach.
Who will be next on the leaderboard?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Another week, another rug. This time, Kokomo Finance took off with $4M, before deleting their online presence. Less than a week old, and Kokomo has already flatlined.
dForce Network was hit for $3.65M on both Arbitrum and Optimism. This attack on two fronts exploited a common reentrancy vulnerability. How much more will be lost to this bug?
The glass is half-empty for Wintermute who have lost 20M OP, worth ~$27.6M at the time of the incident. In an already struggling market, actions such as these make it hard to remain Optimistic.