Back to all stories
Blogs
Incident Analysis
DeltaPrime Incident Analysis
11/10/2024
DeltaPrime Incident Analysis

Incident Summary

On 11 November 2024, DeltaPrime was exploited for ~$4.8M across Arbitrum and Avalanche network.

image

The attack combined two vulnerabilities. The first one is an unchecked input allowing the attacker to move borrowed token to another arbitrary address. The second one also involves arbitrary address input that can be exploited by leveraging the claim mechanism to withdraw the collateral.

Key Transactions

First ARB attack: https://arbiscan.io/tx/0x9efe855cd3783462207ff8a3d94dc17a74e2b2f00bf1b4c8a7e0135dae83ab5c

First AVAX attack : https://snowtrace.io/tx/0xece4efbe11e59d457cb1359ebdc4efdffdd310f0a82440be03591f2e27d2b59e?chainid=43114

Attack Flow and Vulnerability

Addresses

Exploiter:

ARB:

AVAX:

Step by Step

  1. The following analysis is based on Arbitrum txn 0x9efe855cd3783462207ff8a3d94dc17a74e2b2f00bf1b4c8a7e0135dae83ab5c.

deltaprime2

The attacker flash loaned 59.9 ETH and supplied it to Delta Prime then borrowed 1.18 WBTC.

  1. Through the swap adapter, the attacker transferred the WBTC to another attack contract they had created at address 0x52ee. After the transfer, the _repayAmount remained unchanged at 0. At this point, the attacker had obtained 1.12 WBTC, while their collateral (59.9 ETH) remained in contract 0x647b.

deltaprime3

  1. Using the arbitrary input in Delta Prime’s reward mechanism, the attacker retrieved their collateral. TraderJoeV2ArbitrumFacet contract calculated the reward based on changes in its balance before and after transactions, transferring the reward to msg.sender. Note the 'baseRewarder'. The issue lies in line 101, where the contract allows calls to arbitrary external contracts passed in by the attacker as the 'pair' argument in claimReward(). Here, the attacker’s contract was called back, which then immediately invoked the wrapNative() function in contract 0x647b. This function wraps the attacker’s ETH collateral into WETH, causing the WETH balance of 0x647b to change, resulting in a reward of 59.9 ETH. The attacker could then successfully withdraw the collateral.

deltaprime4

Vulnerability

The attacker combined 2 vulnerabilities in this exploit.

deltaprime5

Using this vulnerability, the attacker could borrow WBTC, then immediately transfer the borrowed WBTC to another address under their control via a swap through the swap adapter.

The second one also involved arbitrary input, in TraderJoeV2ArbitrumFacet the 'pair’ parameter can be an attack contract which could be used to manipulate balance when called. The exploiter leveraged the claim mechanism to withdraw their collateral.

deltaprime6

Fund Flow

Avalanche

Around $4.1m was taken on the Avalanche network which was aggregated into 0xd3d535141831F6Bd8B7DF92E2AE0463D60Af2413. The attacker has since staked some of the funds as follows:

Stargate:

  • $600k S*USDC

LFJ owned Trader Joe:

  • $518k USDC/USDT
  • 4,865 AVAX
  • 49.68 WETH.e
  • 6.34 BTC.b

deltaprime11

As of writing 0xd3d holds 69401 AVAX (~$2.2m).

Arbitrum

Around $753k was taken on the Arbitrum Network. Funds were initially aggregated into contract 0x52EE5c0eA2E7b38D4B24c09D4d18cba6C293200E which sent the majority to 0x56e7f67211683857EE31a1220827cac5cdaa634C, whilst splitting 16 ETH into 0x101723dEf8695f5bb8D5d4AA70869c10b5Ff6340. As of writing 0x56e has bridged 2.96 WBTC (~$242k) to Ethereum.

deltaprime10

The Stats

This year has seen an overall decline in flash loan exploits compared to 2023, both in the number of incidents and the amount lost. So far in 2024, we have recorded $104.2M of losses with $7.9M of that amount being returned to the projects.

deltaprime7

In comparison we recorded $313.4M worth of losses in 2023, however, approximately $188.2M was returned to projects largely due to the $177m that was returned to Euler Finance in March 2023.

deltaprime8

To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis on certik.com.