On February 28, the decentralized finance (DeFi) lending platform and stablecoin issuer Seneca Protocol disclosed an exploit through a statement from the protocol’s official X account. According to a report obtained from blockchain analytics firm CertiK, estimated losses from the exploit amounted to $6.4 million. Seneca Protocol has urged users to withdraw approval of affected contracts and reassured them that their team is actively collaborating with security experts to investigate the vulnerability.
Seneca Protocol operates as a DeFi lending application enabling users to deposit various cryptocurrencies as collateral. These deposits can then be utilized to mint and borrow the protocol’s native stablecoin, SenecaUSD. However, blockchain data revealed that accounts ending in 42DC managed to transfer approximately 1,385.23 Pendleton Kelp recollateralized Ethereum (PT Kelp rsETH) from the Seneca collateral pool. This was achieved by calling the “performOperations” function, followed by exchanging these tokens for approximately $4 million worth of ether (ETH) across three transactions. Subsequently, the account transferred an additional 717.04 ETH derivative tokens from various collateral pools and converted them into ETH.
CertiK's report highlighted that these transfers were carried out maliciously due to a flaw in the protocol's "performOperations" feature. This vulnerability allowed any account to call the function, provided OPERATION_CALL was specified, thereby enabling the attacker to conduct external calls to any address, with the attacker having complete control over the callee and callData. Consequently, the attacker could siphon funds from a collateral pool that they did not own.
Blockchain investigator Spreek also cautioned users about the severity of the vulnerability on X, categorizing it as a "critical vulnerability." Spreek advised users to revoke their approval of the exploit address as a precautionary measure. Additionally, security researcher ddimitrov22 identified an additional vulnerability in Seneca Protocol, pointing out that developers were unable to pause Seneca contracts due to the pause and unpause functions containing the keyword "internal," rendering them inaccessible.
In response to the attack, the Seneca Protocol development team acknowledged the incident and assured users that they were actively investigating the matter. They also committed to releasing an update addressing the vulnerability promptly. This event underscores the ongoing threat posed by hackers and exploits within the Web3 ecosystem, as evidenced by recent incidents like the hacking of Axie Infinity co-founder Jeff “Jihoz” Zirlin's personal wallet and the theft of 457 ETH from the DeFi protocol Blueberry, both occurring on February 23.
