- Blockbasis
- Posts
- DeltaPrime: $5.98M Key Compromise Exposed
DeltaPrime: $5.98M Key Compromise Exposed
DeltaPrime Blue on Arbitrum: In-Depth Analysis of the $5.98 Million Private Key Breach and Its Implications for DeFi Security
TL;DR
DeltaPrime Blue on Arbitrum lost $5.98 million due to a private key compromise. The attacker exploited a malicious proxy contract, executing 57 withdrawals. Speculation points to the Lazarus Group’s involvement. DeltaPrime claims their Avalanche deployment is secure, but users are left uncertain, highlighting DeFi's vulnerability to key breaches.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
DeltaPrime Blue on Arbitrum has experienced a significant setback, losing $5.98 million due to a private key compromise.
This incident casts a spotlight on DeltaPrime's key management practices, raising concerns about their robustness.
There are already whispers in the cryptosphere suggesting that the infamous Lazarus Group, a nation-state hacker collective with a history of targeting financial systems, may be responsible for this highly precise attack.
As DeltaPrime scrambles to reassure its user base, the broader question looms: Are we entering a new era of state-sponsored cyberattacks exploiting vulnerabilities in blockchain protocols?
The DeltaPrime incident unfolded with the precision of a well-orchestrated heist, featuring an attacker in the role of a digital Danny Ocean.
According to first responder Chaofan Shou, the breach occurred through a compromised admin address on Arbitrum, which was used to upgrade DeltaPrime's proxy contracts to a malicious version.
Compromised Admin Address: 0x40E4172e595Fb5B3076dC6d0A1a24d885b881Afb
DeltaPrime’s Compromised Proxy Admin Address: 0xd550cfeA0BFFDC81B2dEe7B6d915D9D9e31d83A2
This unauthorized upgrade allowed the attacker to fraudulently inflate their deposit amounts across all pools, effectively manipulating the system.
In a statement that seemed to state the obvious, DeltaPrime acknowledged the breach and attributed the loss to a private key compromise.
DeltaPrime Blue exploited, this is the current status:
At 6:14 AM CET DeltaPrime Blue (Arbitrum) was attacked and drained for $5.98M. This was due to a compromised private key, the source of which is currently under investigation.
DeltaPrime Red (Avalanche) is not vulnerable… x.com/i/web/status/1…
— DeltaPrime (@DeltaPrimeDefi)
8:55 AM • Sep 16, 2024
Hacken's detailed analysis sheds more light on the incident.
Initial Steps: The attacker secured 0.19 ETH for gas fees, sourced through the Across Protocol. Even cybercriminals need resources to execute their plans.
Funding Transaction: 0xeb034ecfa6b1eaa95bc659883eff8a106fd5d7262da54848525f656597f55d3f
Preparation Phase: The attacker established their harmful proxy contract, setting the trap.
Malicious Proxy Contract: 0xD4CA224a176A59ed1a346FA86C3e921e01659E73
Execution Phase: The attacker began a rapid series of upgrades, altering five proxy contracts with harmful code within 8 confirmed blocks—exemplifying swift precision.
Initial Upgrade Transaction: 0x2e6748e92e4f833d3ea3c2aa7d11e74aa502e2cfcab8398dc2056a83a1b7caae
First Withdrawal: Seconds after the upgrades, 2.44 million USDC was immediately extracted, wasting no time.
First Withdrawal Transaction: 0x28a9b62fbfc375ebb3f5321d80baac9c2a225a6ec2f140cbfae5bff95fc80b1e
The attacker targeted several contracts, exploiting a variety of key assets:
DeltaPrimeWrappedETH: 0x0bebeb5679115f143772cfd97359bbcc393d46b3
USDCPoolTUP: 0x8FE3842e0B7472a57f2A2D56cF6bCe08517A1De0
DeltaPrimeArbitrum: 0x2B8C610F3fC6F883817637d15514293565C3d08A
DeltaPrimeBitcoin: 0x5CdE36c23f0909960BA4D6E8713257C6191f8C35
DaiPoolTUP: 0xd5E8f691756c3d7b86FD8A89A06497D38D362540
In an astonishing display of either avarice or thoroughness, depending on one's viewpoint, the attacker orchestrated a total of 57 withdrawals.
The heist concluded with the perpetrator making off with their ill-gotten loot.
The spoils: A mix of USDC, WBTC, and WETH, which were quickly converted to ETH. After all, even hackers enjoy the thrill of laundering money.
As a final act, the assailant changed the Proxy Admin on all compromised contracts. It's akin to closing the stable door after the horse has escaped, but in hacker fashion.
🕑 Proxy Admin Change
Between 06:32:56 AM and 06:37:53 AM UTC, the Proxy Admin was changed on all the victim contracts.— Hacken🇺🇦 (@hackenclub)
7:33 AM • Sep 16, 2024
DeltaPrime reassures that their Avalanche deployment is secure, safeguarded by multisigs and cold storage.
Yet, this offers scant consolation for Arbitrum users left out in the cold.
The team assures that "the insurance pool will cover any potential losses where possible/necessary."
DeltaPrime underwent multiple audits, but no level of code inspection can prevent a compromised private key.
Auditors can’t foresee human error.
The attacker’s haul remains untouched—a $5.98 million middle finger to DeltaPrime and the broader DeFi ecosystem.
Here’s where it gets intriguing: Blockchain investigator ZachXBT hinted at a possible connection:
“Not sure if related, but they were one of the teams I warned about DPRK IT workers (was told they were all removed).”
@DeltaPrimeDefi Idk if related but they were one of the teams with the DPRK IT workers I reached out to warn (was told they were all removed)
— ZachXBT (@zachxbt)
6:15 AM • Sep 16, 2024
Could this be more than a typical breach?
Is the notorious Lazarus Group behind this attack?
The situation is evolving faster than a poorly written smart contract.
DeltaPrime's plight underscores a critical lesson: In DeFi, a protocol's security is only as strong as its weakest private key—and the team's ability to safeguard it.
In this era of digital heists, are we witnessing the rise of sophisticated crime or the decline of robust security?
DeltaPrime's $5.98 million misstep reveals the fragile foundation beneath DeFi's lofty goals.
A single exposed key, and—just like that—millions disappear in the blink of an eye.
The murmurings of the Lazarus Group add a geopolitical twist to this already pungent mix of failure and negligence.
As DeltaPrime scrambles to address the damage, users are left in a precarious position, holding onto assurances of insurance and meager consolation.
This breach is yet another harsh reminder.
In DeFi, a protocol's security is only as reliable as its most vulnerable private key.
With the potential involvement of nation-state actors, are we witnessing the dawn of financial warfare 2.0?
Or is this merely the same tale of greed and mismanagement, now adorned with a sleek blockchain veneer?
Want SOC 2 compliance without the Security Theater?
Question 🤔 does your SOC 2 program feel like Security Theater? Just checking pointless boxes, not actually building security?
In an industry filled with security theater vendors, Oneleet is the only security-first compliance platform that provides an “all in one” solution for SOC 2.
We’ll build you a real-world Security Program, perform the Penetration Test, integrate with a 3rd Party Auditor, and provide the Compliance Software … all within one platform.
Power your competitive advantage with intelligent automation from ELEKS
ELEKS' intelligent automation service transforms your business operations through data-driven solutions. We automate complex tasks, streamlining processes to increase productivity and reduce operational costs. Our tailored solutions adapt to your changing needs and help you unlock new growth opportunities by freeing your team to focus on high-value tasks.
The result? Enhanced customer satisfaction, improved client retention, and a stronger market position.
If you're frustrated by one-sided reporting, our 5-minute newsletter is the missing piece. We sift through 100+ sources to bring you comprehensive, unbiased news—free from political agendas. Stay informed with factual coverage on the topics that matter.