Hack Explained - DeltaPrime 2

RivanorthRivanorth
2 min read

DeltaPrime, a decentralised finance (DeFi) protocol, operating on the Arbitrum and Avalanche blockchains, suffered its second security incident in a matter of months, leading to the loss of approximately $4.85 million.

DeltraPrime lost $6 million in September 2024 due to a compromised key. https://blog.rivanorth.com/hack-explained-deltaprime

Behind the Breach

Arbitrum Exploit: The attacker initiated a flash loan of 59.9 ETH, which was subsequently supplied to DeltaPrime. Following this, 1.18 WBTC was borrowed and diverted through a swap adaptor to the attacker’s contract. By leveraging DeltaPrime’s reward mechanism, the attacker reclaimed their ETH collateral through an arbitrary input vulnerability, resulting in the theft of approximately $753,000 from the Arbitrum chain.

Avalanche Exploit: The attacker used a similar approach on DeltaPrime’s deployment within the Avalanche chain. By exploiting the same unchecked input validation flaw, they managed to drain an additional $4.1 million. Interestingly, instead of immediately laundering the stolen funds, the attacker staked and farmed them within the Avalanche network, generating yields from their illicit gains.

Lessons from the Incident

This breach highlights the critical importance of robust input validation in smart contract development. Unchecked inputs can become exploitable points of entry for malicious actors to manipulate contract functionality. To prevent similar vulnerabilities, DeFi protocols should consider implementing the following controls:

  1. Comprehensive Input Validation: Ensure all inputs are rigorously validated to prevent unauthorised or malicious data from affecting contract operations.

  2. Regular Security Audits: Conduct regular, in-depth security assessments to identify and address potential vulnerabilities before they are exploited.

  3. Implementation of Multi-Signature Wallets: Utilise multi-signature wallets for key administrative functions to provide an additional security layer, reducing the risk associated with single points of failure.

Rivanorth is a cybersecurity company specialising in smart contract audits and 360 degree security services for Web3.

Visit https://rivanorth.com/ to find out more.

You build the future. We help you secure it.

0
Subscribe to my newsletter

Read articles from Rivanorth directly inside your inbox. Subscribe to the newsletter, and don't miss out.

SecurityBlockchainCryptocurrencyWeb3Smart Contractssmart contract security audit

Written by

Rivanorth
Rivanorth

State of the art Cybersecurity services, always a step ahead. You build the future. We help you secure it.