Bold strategy, Gamma, let’s see if it pays off…
Gamma Strategies, an Arbitrum-based concentrated liquidity management protocol, was exploited for at least $4.5M, earlier today.
A follow-up announcement informed users that the team had paused deposits to mitigate further attacks:
All public vaults/hypervisors have had deposits shut down. You may withdraw your funds if need be. Our vaults will continue to be managed normally for now, but deposits are currently shut down until we identify and mitigate the problem.
When Orbit lost over $80M at New Year, we asked:
Can we do better this year?
So far, it’s not looking good…
Flash loans were used to manipulate the value of deposits, allowing the attacker to mint an inflated number of LP tokens.
Despite four desposit protection measures, the attack was viable due to the broad ranges in allowed price changes within certain vaults. Deposits remain paused on Gamma vaults, as it is during deposits that the attack vector arises.
As Gamma explained:
The main issue is with the settings we placed on (2) the price change threshold.
It was placed too high allowing for up 50-200% price change on certain LST and stablecoin vaults. This allowed the attacker to manipulate the price up to the price change threshold and mint a disproportionately high number of LP tokens.
Peckshield provided an attack flow:
Attack contract 1: 0x4b57adc00ac38f74506d29fc4080e3dc65b78a69
Example attack tx: 0x025cf285…
The majority of funds were bridged back to the hacker’s Ethereum address. USDT was then swapped out for ETH for a total of 1535 ETH ($3.4M). Approximately $1.1M of DAI and gDAI remains on Arbitrum, however total losses to Gamma may have been higher.
The attacker was funded via Tornado Cash two and a half hours before the attack began.
Collateral damage threatened a number of other projects…
First, Crypto Algebra suffered reputation-wise from the initial mis-labeling, then other protocols paused their contracts out of an abundance of caution. DEXs Camelot and Quickswap were also keen to point out that the issue was not with their own code.
Gamma Strategies has a somewhat chequered past.
Before rebranding, the protocol then known as Visor Finance suffered three incidents in 2021 alone.
However, it bears mentioning that Gamma has had no issues since the rebrand, with apparently “no original developers or founders remaining from the project”.
The protocol has undergone three audits, from Consensys Diligence (March 2022), Arbitrary Execution (March 2022), and Certik (July 2021), but given that the vulnerability was due to the configuration of individual pool’s price change tolerances, the bug is likely out of scope.
As we press on into 2024, it seems the constant stream of hacks and exploits shows no sign of slowing down.
And if we do see a new bull run, at this rate it will surely eclipse the madness of last time.
Stay safe out there…
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Jimbo’s Protocol was hit with a flash loan attack in the early hours of Sunday, losing $7.5M. The team have sent the attacker an ultimatum. But for now, Jimbo is stuck in limbo.
Swaprum, an Arbitrum-based DEX, pulled the rug for $3M on Thursday. Certik, the project's auditor, has since updated Swaprum’s security score to “Exit Scam”. Too little, too late?
dForce Network was hit for $3.65M on both Arbitrum and Optimism. This attack on two fronts exploited a common reentrancy vulnerability. How much more will be lost to this bug?