The Seneca Protocol is a decentralized finance (DeFi) platform that provides a collateralized debt position (CDP) system for borrowing senUSD, a stablecoin pegged to $1. By using yield-generating assets as collateral, users can borrow funds while continuing to earn a fixed yield on their collateral. This dual functionality aims to offer both liquidity and yield generation in one system.
On February 28, 2024, a critical vulnerability in the Seneca Protocol’s Chamber contract led to the theft of approximately $6.4 million, mainly in Ether (ETH). The breach not only inflicted significant financial damage but also severely impacted the protocol’s reputation, resulting in decreased liquidity, plummeting token prices, and diminished user confidence. The exploit was exacerbated by the inability to pause the contracts due to a missing pause/unpause function. The attacker stole over 1,900 ETH and 50,000 senUSD from a team wallet through various swaps involving Liquidity Staked Tokens (LSTs), distributing the stolen funds across three addresses.
The attack exploited a vulnerability in the Chamber contract’s performOperations function, which allowed callers to specify various parameters for external calls:
In this case, the attacker set the actions[0] value to 30, which triggered the internal _call function in the Chamber contract. This allowed the attacker to make arbitrary external calls to any contract with crafted input data.
By setting callData to invoke the transferFrom() function on a token, the attacker specified the from address as a user’s address and the to address as their own externally owned account (EOA). Since msg.sender was the Chamber contract, the attacker was able to transfer funds to themselves due to the Chamber contract’s approval amount exceeding the total collateral deposited. This manipulation enabled the attacker to siphon over $6 million from users’ funds.
The attacker capitalized on the fact that users had pre-approved the Chamber contract to manage their tokens. By utilizing the performOperations function, the attacker crafted calldata to trigger a transferFrom() function, specifying users’ addresses as the source and the attacker’s own address as the destination. Due to the inadequate validation in the Chamber contract, this external call was allowed, and tokens were siphoned directly from users’ wallets. Over $6 million worth of assets were stolen before the attacker returned 80% of the funds following a whitehat request from Seneca.
To gain a deeper understanding of the Seneca Protocol exploit, you can replicate the attack by following the proof of concept (PoC) available in this GitHub repository. The PoC includes detailed, step-by-step instructions on how the vulnerability in the Chamber contract was exploited. By simulating the attack, you can observe the exploit process and gain insights into the attack dynamics and its impact.
The attack on the Seneca Protocol led to the theft of over 1,900 ETH, involving various Liquidity Staked Tokens (LSTs) that were swapped for ETH. The stolen ETH is currently held across three addresses:
Each of the second and third exploiter addresses holds approximately 500 ETH, totaling nearly 1,000 ETH, which is about 80% of the stolen funds. The remaining 20% of the funds have been handled differently:
Upon realizing the breach, Seneca took immediate action by instructing users to revoke their token approvals. Despite this, the damage had already been done. Subsequently, Seneca issued an on-chain message on X, offering a 20% bounty for the return of the stolen funds.
The hacker responded by returning 1,537 ETH to the Gnosis Safe address and transferring 300 ETH to two new addresses:
The attacker began by funding their address with 0.0992 ETH. Shortly after, through a series of transactions, the exploiter utilized platforms like AirSwap and various liquidity pools to steal significant amounts of ETH and other tokens. They transferred approximately 1,907.31 ETH and additional smaller sums, moving funds across multiple wallets and using bridges like CBridge and MetaMask Meta Bridge. The total stolen funds reached 500 ETH in a single transaction, all routed to various addresses for obfuscation.
To prevent future exploits, the Seneca Protocol should implement the following security measures:
The Seneca Protocol hack underscores the critical need for stringent security measures and thorough audits in DeFi platforms. Although the protocol was designed to facilitate complex transactions, its vulnerabilities were exploited with significant financial consequences. This incident demonstrates that even well-intentioned systems are susceptible to risks if security isn’t prioritized.
As the DeFi landscape continues to advance, safeguarding smart contracts must remain a top priority. Implementing rigorous security practices, conducting regular and comprehensive audits, and fostering transparent communication with users are essential steps in protecting assets and maintaining trust within the ecosystem.
Organizations like BlockApex, with their specialized expertise in smart contract auditing, are instrumental in identifying and addressing vulnerabilities before they can be exploited. The Seneca Protocol incident serves as a stark reminder of the necessity for continuous vigilance and robust security protocols to build trust and support the sustained growth of DeFi platforms.
Convergence Finance is a DeFi protocol known for its innovative approach to liquidity aggregation and…
Key Takeaways: Money laundering involves three stages: introducing illicit money (placement), obscuring its origins (layering),…
In this article, we understand how the demand and supply of tokens work and how…
LightLink, an Ethereum Layer 2 blockchain, conducted a Liquidity Bootstrapping Pool (LBP) sale. This fundraising…
Midl DApp: A cross-border payment solution In today's fast-paced global financial landscape, the need for…
Push the Button (PTB) is all about turning a simple action into an exciting game.…
This website uses cookies.