Decentralized Lending Platform Seneca Has Been Hacked, $6.4M Exploited
Latest News News

Decentralized Lending Platform Seneca Has Been Hacked, $6.4M Exploited

The Seneca lending protocol was hacked through its ‘performOperations’ function, and about $6.4M of collateral was drained from it.

Decentralized finance (DeFi) lending platform and stablecoin issuer Seneca Protocol has been exploited, according to a Feb. 28 statement on the protcol’s official X account. 

In a report seen by Cointelegraph, blockchain analytics firm CertiK estimated the losses at $6.4 million so far. 

The Seneca team urged users to revoke approvals for the affected contracts. Its staff are “currently working with security specialists to investigate the bug,” they stated.

Seneca Protocol is a DeFi lending app that allows users to deposit a variety of cryptocurrencies as collateral, which then can be used to mint and borrow the protocol’s native stablecoin, SenecaUSD.

See Also: Serenity Shield Token (SERSH) Collapsed By 95% After $5.6m Breach

Blockchain data shows that an account ending in 42DC was able to transfer approximately 1,385.23 Pendleton Kelp restaked Ether (PT Kelp rsETH) from a Seneca collateral pool, which it did by calling the “performOperations” function. 

The account subsequently swapped these tokens for approximately $4 million worth of Ether (ETH) over the course of three transactions. 

After these swaps, the account transferred an additional 717.04 ETH derivative tokens from various collateral pools and swapped them for ETH.

In its report, CertiK claimed that these transfers were malicious. They were made possible because the protocol contains a flaw in its “performOperations” function, the report stated. 

The bug allows any account to call the function while specifying OPERATION_CALL as the action to be performed. 

This allows the attacker to “perform external calls to any address as the callee and callData are fully controlled by the attacker.” 

As a result, the attacker was able to drain funds from the collateral pool that it didn’t own, CertiK claims.

Blockchain investigator Spreek also warned users about the exploit on X, stating that it represented a “critical vulnerability.” 

Spreek suggested that users should revoke approvals of the addresses used in the exploit.

According to security researcher ddimitrov22, Seneca is suffering from an additional vulnerability that prevents developers from pausing the Seneca contracts, as the pause and unpause functions in them contain the keyword “internal,” which means “there is no way to call them.”

In its post acknowledging the attack, the development team stated that they are conducting an investigation and will post an update “shortly.”

Hacks and exploits continue to threaten Web3 users in 2024. On Feb, 23, Axie Infinity co-founder Jeff “Jihoz” Zirlin lost $9.7 million from a hack of his personal wallets. 

On the same day, DeFi protocol Blueberry was exploited for 457 ETH.

Disclaimer: The information provided is not trading advice. holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.

#Binance #WRITE2EARN

Crypto products and NFTs are unregulated and can be highly risky. There may be no regulatory recourse for any loss from such transactions. Crypto is not a legal tender and is subject to market risks. Readers are advised to seek expert advice and read offer document(s) along with related important literature on the subject carefully before making any kind of investment whatsoever. Crypto market predictions are speculative and any investment made shall be at the sole cost and risk of the readers.