Stablecoin protocol Seneca has initiated a bold approach in response to an exploitation incident, offering a substantial 20% bounty to individuals who successfully exploit a vulnerability in the protocol's smart contracts, thereby gaining access to at least $6.4 million in digital assets. This move comes in the wake of multiple blockchain security firms reporting vulnerabilities within the stablecoin protocol on February 28. CertiK and other companies alerted users about the vulnerability, emphasizing the importance of revoking approval of addresses on both the Ethereum and Arbitrum networks. Initially estimated at $3 million, the losses from the exploit were later revised to over 1,900 Ethereum, equivalent to approximately $6.4 million.
CertiK's security analysts pinpointed the vulnerability to a critical flaw in the protocol's smart contracts, labeled as a "call" vulnerability. According to Joe Green, head of CertiK’s rapid response team, this vulnerability enabled attackers to execute arbitrary external calls, facilitating the direct transfer of assets from an approved address of the vulnerable contract to the attacker's account. Green underscored the importance of vigilance regarding external calls, particularly during contract upgrades, as unforeseen circumstances could compromise the contract's integrity. Seneca has responded by launching an investigation in collaboration with security experts to ascertain the root cause of the exploit.
In addition to investigating the incident, Seneca has taken proactive steps to mitigate the impact, including offering a $1.2 million reward for the recovery of the stolen funds. In an on-chain message dated February 29, Seneca directly appealed to the hacker, urging them to return 80% of the pilfered funds to a specified Ethereum address while permitting them to retain 20%. The message conveyed Seneca's commitment to working with security providers and law enforcement agencies to trace the misappropriated assets, while simultaneously cautioning the hacker against potential legal ramifications.
Following Seneca's plea, the hacker complied by returning approximately 1,537 ETH, valued at around $5.3 million, to a designated wallet address as requested by Seneca. However, the attacker chose to retain 300 ETH, equivalent to approximately $1 million, and accepted the 20% bounty offered by Seneca. Subsequently, the attacker proceeded to transfer the retained ETH to two distinct addresses, marking a pivotal turn in the unfolding saga surrounding Seneca's exploitation incident.
