On 11 November 2024, DeltaPrime was exploited for ~$4.8M across Arbitrum and Avalanche network.
The attack combined two vulnerabilities. The first one is an unchecked input allowing the attacker to move borrowed token to another arbitrary address. The second one also involves arbitrary address input that can be exploited by leveraging the claim mechanism to withdraw the collateral.
First ARB attack: https://arbiscan.io/tx/0x9efe855cd3783462207ff8a3d94dc17a74e2b2f00bf1b4c8a7e0135dae83ab5c
First AVAX attack : https://snowtrace.io/tx/0xece4efbe11e59d457cb1359ebdc4efdffdd310f0a82440be03591f2e27d2b59e?chainid=43114
Addresses
Exploiter:
ARB:
AVAX:
Step by Step
The attacker flash loaned 59.9 ETH and supplied it to Delta Prime then borrowed 1.18 WBTC.
The attacker combined 2 vulnerabilities in this exploit.
Using this vulnerability, the attacker could borrow WBTC, then immediately transfer the borrowed WBTC to another address under their control via a swap through the swap adapter.
The second one also involved arbitrary input, in TraderJoeV2ArbitrumFacet the 'pair’ parameter can be an attack contract which could be used to manipulate balance when called. The exploiter leveraged the claim mechanism to withdraw their collateral.
Avalanche
Around $4.1m was taken on the Avalanche network which was aggregated into 0xd3d535141831F6Bd8B7DF92E2AE0463D60Af2413. The attacker has since staked some of the funds as follows:
Stargate:
LFJ owned Trader Joe:
As of writing 0xd3d holds 69401 AVAX (~$2.2m).
Arbitrum
Around $753k was taken on the Arbitrum Network. Funds were initially aggregated into contract 0x52EE5c0eA2E7b38D4B24c09D4d18cba6C293200E which sent the majority to 0x56e7f67211683857EE31a1220827cac5cdaa634C, whilst splitting 16 ETH into 0x101723dEf8695f5bb8D5d4AA70869c10b5Ff6340. As of writing 0x56e has bridged 2.96 WBTC (~$242k) to Ethereum.
This year has seen an overall decline in flash loan exploits compared to 2023, both in the number of incidents and the amount lost. So far in 2024, we have recorded $104.2M of losses with $7.9M of that amount being returned to the projects.
In comparison we recorded $313.4M worth of losses in 2023, however, approximately $188.2M was returned to projects largely due to the $177m that was returned to Euler Finance in March 2023.
To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis on certik.com.