Lending protocol Delta Prime suffers second exploit in two months, bringing losses above $10 million

Quick Take

  • Blockchain-based borrow and lending platform Delta Prime has suffered its second exploit in two months after an unidentified attacker drained nearly $5 million worth of crypto using a publicly accessible bug.

Blockchain-based borrow and lending platform Delta Prime has suffered its second exploit in two months, according to multiple crypto security and research firms. According to the latest estimates, nearly $5 million worth of crypto assets have been drained from Delta implementations on Layer 1 blockchain Avalanche and Ethereum scaling platform Arbitrum.

The news comes shortly after Delta Prime experienced a roughly $6 million attack in mid-September — when one of the protocol’s administrators lost control of its private keys — bringing the protocol's losses above $10 million. That particular attack only affected Delta’s deployment on Arbitrum.

“DeltaPrime is currently paused due to an attack on the Saving pools,” the company wrote Monday on its website, with a link to its Discord.

"With the protocol being paused on both chains, the risk is contained. We will provide updates asap," the firm wrote in a post on X at 4:04 a.m. EST.

Crypto security firm Fuzzland told The Block that about five hours ago, an unidentified hacker exploited a “code logic error” that allowed them to drain funds from Delta Prime’s ​​“claimRewards” contract used to pay out tokens to platform users.

“The victim contract failed to check one of the addresses involved inside ‘claimRewards.’ The attacker can pass in a custom contract address that controls how much reward will be sent by the victim,” Fuzzland researcher publicqi said in a direct message.

Publicqi noted the two attacks do not appear connected as one relied on a stolen private key while the recent event used a publicly accessible bug that theoretically anyone could have found and exploited.

“For DeFi protocols that’s directly related to funds/have TVLs, they should be extremely careful and serious about the code, especially parts where transfer is possible. And an audit is not a 100% guarantee that a protocol is safe,” publicqi said.

According to DeFi syndicate yieldsandmore, the alleged attacker appears to be a DeFi power user and “experienced serial exploiter” who was involved in an attack as recently as June. The attacker appears to have reinvested a portion of the stolen funds in wrapped bitcoin on Arbitrum, according to onchain data.

The vast majority of the stolen funds were taken from the Avalanche deployment of Delta Prime. The PRIME token has an over $51 million fully diluted valuation. The protocol’s total value locked stands around $32 million, down from a peak above $70 million prior to the exploit in September.


Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Daniel Kuhn is a Senior Journalist and Editor at The Block, where he covers the crypto industry with a particular focus on tech. He previously served as deputy managing editor of opinion/features at CoinDesk. He first appeared in print in Financial Planning, a trade publication magazine. Before journalism, he studied philosophy as an undergrad, English literature in graduate school and business and economic reporting at an NYU professional program. You can connect with him on Twitter and Telegram @danielgkuhn or find him on Urbit as ~dorrys-lonreb.

Editor

To contact the editor of this story:
Jason Shubnell at
[email protected]