According to CryptoPotato, Gamma Strategies, a DeFi protocol built on the Ethereum blockchain, experienced an exploit resulting in a loss of approximately $3.4 million. In response, the protocol quickly implemented measures to prevent further losses, temporarily disabling deposits to all public DeFi vaults while keeping withdrawals active for users needing to access their funds. Blockchain investigator PeckShield initially identified the exploit on January 4, which was later confirmed by Gamma Strategies. The platform disclosed that it had identified the root cause of the incident.
Gamma's vaults incorporate four primary safeguards against flash loans, including mandating a token0 and token1 ratio in line with the pool's ratio, setting a price change threshold to disallow deposits when the price change exceeds a specified amount, implementing deposit caps per deposit, and prohibiting single-sided deposits. The protocol revealed that the main issue stemmed from the settings on the price change threshold, which were set too high, allowing for up to a 50-200% price change on certain LST and stablecoin vaults. This enabled the attacker to manipulate the price to the threshold and generate an unusually high number of LP tokens.
Gamma Strategies has outlined its plan of action, which includes setting all price change thresholds to a safe threshold level. It also plans to engage a third-party code review to ensure that this attack is effectively mitigated before re-opening deposits. A comprehensive post-mortem analysis will also be released soon. However, Gamma Strategies has not yet confirmed if it intends to compensate its victims in addition to "maximizing recovery for all affected users." The protocol stated, "One last note, is that even though deposits are closed, our rebalances and management of the positions are still active as they are not affected by the exploit."
Within the first four days of 2024, the cryptocurrency market faced two security breaches. Orbit Chain, a project facilitating cross-chain bridging, was hacked earlier this week, resulting in the loss of over $80 million in assets. The attacker gained access to seven out of ten multisig signers, resulting in a total loss of $81.5 million. The majority of the stolen funds consisted of stablecoins, with $30 million in USDT, $10 million in USDC, and $10 million in DAI. Additionally, approximately 231 WBTC ($10 million) and 9,500 ETH ($21.5 million) were also compromised.
