A hacker managed to drain over $6 million from the decentralized finance (DeFi) protocol Delta Prime by minting an arbitrarily large number of deposit receipt tokens.
According to data from block explorer Arbiscan, the attacker minted over 115 duovigintillion Delta Prime USD (DPUSDC) tokens in the initial attack, which is more than 1.1*10^69 in scientific notation.
DPUSDC is a deposit receipt for USDC (USDC) stablecoin held at Delta Prime. It is intended to be redeemable at a 1:1 ratio for USDC.
Despite minting such a large number of USDC deposit receipts, the attacker only burned 2.4 million of them, receiving $2.4 million USDC stablecoin in exchange.
Attacker minting a very large number of DPUSDC tokens and redeeming some of them. Source: Arbiscan.
The attacker then repeated these steps for other deposit receipt tokens, minting over 1 duovgintillion Delta Prime Wrapped Bitcoin (DPBTCb), 115 octodecillion Delta Prime Wrapped Ether (DPWETH), 115 octodecillion Delta Prime Arbitrum (DPARB), and many other deposit receipt tokens, ultimately redeeming a tiny fraction of the amount minted to receive over $1 million in Bitcoin (BTC), Ether (ETH), Arbitrum (ARB), and other tokens.Â
According to blockchain security specialist Chaofan Shou, the attacker has stolen an estimated $6 million in funds so far.
Source: Chaofan Shu.
The attacker was able to mint these deposit receipt tokens by first gaining control of an admin account ending in b1afb, which they likely accomplished by stealing the developerâs private key. Using this account, they called an âupgradeâ function on each of the protocolâs liquidity pool contracts.Â
These functions are intended to be used for software upgrades. They allow the developer to change the code in a contract by having its proxy point to a different implementation address.
However, the attacker used these functions to point each proxy to a malicious contract that the attacker had created. Each malicious contract allowed the attacker to mint an arbitrarily large number of deposit receipts, effectively letting them drain each pool of funds.
Delta Prime attacker upgrading contracts. Source: Arbiscan.
Delta Prime acknowledged the attack in an X post, stating that âAt 6:14 AM CET DeltaPrime Blue (Arbitrum) was attacked and drained for $5.98M.â
It claimed that the Avalanche version, DeltaPrime Blue, is not vulnerable to the attack. It also stated that the protocolâs insurance âwill cover any potential losses where possible/necessary.â
The Delta Prime attack illustrates the risk of DeFi protocols using upgradeable contracts.
The Web3 ecosystem is designed to prevent private key hacks from exploiting entire protocols.
Theoretically, an attacker should need to steal the private keys of every user to drain the entire protocol. However, when contracts are upgradable, it introduces an element of centralization risk, which can lead to an entire userbase losing its funds.Â
Even so, some protocols believe that giving up the ability to upgrade may be worse than its alternative, as it may prevent a developer from fixing bugs found after deployment. Web3 developers continue to debate when protocols should and should not allow upgrades.
Smart contract exploits continue to pose a risk to Web3 users. On Sep. 11, an attacker drained over $1.4 million from a CUT token liquidity pool using an obscure line of code that pointed to an unverified function on a separate contract.
On Sep. 3, over $27 million was drained from the Penpie protocol after the attacker successfully registered their own malicious contract as a token market.