Seneca Protocol, a decentralized finance (DeFi) lending platform and stablecoin issuer, has fallen victim to an exploit, as stated in an official announcement on Feb. 28. According to a report by CertiK, a blockchain analytics firm, the estimated losses from the exploit currently stand at $6.4 million. In light of this, the Seneca team has advised users to revoke approvals for the affected contracts and has enlisted the help of security specialists to investigate the bug.
Seneca Protocol functions as a DeFi lending application that enables users to deposit various cryptocurrencies as collateral. This collateral can then be used to mint and borrow SenecaUSD, the platform’s native stablecoin.
Blockchain data reveals that an account ending in 42DC managed to transfer approximately 1,385.23 Pendleton Kelp restaked Ether (PT Kelp rsETH) from a Seneca collateral pool using the “performOperations” function. Subsequently, the account swapped these tokens for around $4 million worth of Ether (ETH) through three transactions. After these swaps, the account further transferred 717.04 ETH derivative tokens from various collateral pools and exchanged them for ETH.
CertiK’s report suggests that these transfers were carried out maliciously, exploiting a flaw in the protocol’s “performOperations” function. The bug allows any account to call the function while specifying OPERATION_CALL as the action, granting the attacker full control over the callee and callData. Consequently, the attacker was able to drain funds from a collateral pool they did not own.
Spreek, a blockchain investigator, also issued a warning about the exploit on X, describing it as a critical vulnerability. Spreek advised users to revoke approvals of the addresses used in the attack.
Furthermore, security researcher ddimitrov22 highlighted an additional vulnerability in Seneca, which prevents developers from pausing the Seneca contracts due to the “internal” keyword used in the pause and unpause functions.
In response to the attack, the Seneca development team is conducting an investigation and plans to provide an update soon.
Unfortunately, hacks and exploits continue to pose a threat to Web3 users in 2024. On Feb. 23, Jeff “Jihoz” Zirlin, the co-founder of Axie Infinity, lost $9.7 million from a hack targeting his personal wallets. On the same day, DeFi protocol Blueberry was exploited, resulting in a loss of 457 ETH.