Seneca Protocol: Unraveling the $6.4 Million Exploit

TL;DR

In the turbulent realm of cryptocurrency, Seneca Protocol faced a devastating blow with a $6.4 million exploit. Despite claims of invincibility, critical flaws allowed attackers to drain user wallets, leaving chaos in their wake. This incident underscores the urgent need for heightened security measures and transparency in the crypto space.

Make Sure This Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

A staggering sum of over $6.4 million vanished from user wallets on February 28, attributed to what critics are dubbing the ill-starred Seneca protocol.

Initially disclosed by spreekaway on X, the incident centered around a critical approval loophole, impacting users active on Arbitrum and Ethereum networks.

Although approximately 80% of the misappropriated funds found their way back within a mere day, the remaining balance found refuge in two distinct addresses, purportedly offered as a reward.

During the abortive audit competition last November, a vigilant security analyst unearthed the very vulnerability exploited in the recent breach.

Seneca, in a terse statement following the abrupt termination of their Sherlock audit challenge due to potential legal encumbrances, asserted, "Seneca is utilizing battle-tested code, publicly accessible on Seneca's GitHub."

Subsequently, armed with what they believed to be comprehensive armor, courtesy of Halborn Security's audit, Seneca forged ahead into the fray without trepidation.

According to Seneca, the Chamber contract, the wellspring of the glitch, had undergone scrutiny prior to deployment. Notably, while some of Halborn's discoveries pertained to approval mechanisms, this particular issue escaped attention.

Evidently, adversaries on the digital battlefield wasted no time in exploiting chinks in Seneca's defenses, doing so in under two months.

In the aftermath, certain community members alleged ejection from Discord for sounding the alarm on the bug.

It appears Seneca was cognizant of the precarious terrain yet opted for a perilous path.

Should you find yourself ensnared in this debacle, prudence dictates revoking approvals posthaste.

Ethereum:

PT-ezETH: 0x529eBB6D157dFE5AE2AA7199a6f9E0e9830E6Dc1

apxETH: 0xD837321Fc7fabA9af2f37EFFA08d4973A9BaCe34

PT-weETH: 0xBC83F2711D0749D7454e4A9D53d8594DF0377c05

PT-rsETH: 0x65c210c59B43EB68112b7a4f75C8393C36491F06

Arbitrum:

PT-weETH: 0x11446bbb511e4ea8B0622CB7d1437C23C2f3489b

stEUR: 0x7C160FfE3741a28e754E018DCcBD25dB04B313AC

PT-aUSDC: 0x4D7b1A1900b74ea4b843a5747740F483152cbA5C

wstETH: 0x2d99E1116E73110B88C468189aa6AF8Bb4675ec9

PT-rsETH: 0x2216E32006BB80d20f7906b88876964F9AF68aFb

Subscribe to Newsletter Bitcoin

Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.

The exploit capitalized on a flaw within Seneca's code, siphoning assets from users with active approvals to specific contracts.

By crafting precise calldata parameters, the assailant invoked the transferfrom and transfer functions, redirecting tokens greenlit to the project's contracts to the attacker's own address.

This maneuver granted the exploiter access to any as-yet-undeployed LSTs within the user's wallet.

Compounding the issue, the contracts lacked the ability to be paused owing to a flawed implementation of the pause function. Given that both the pause and unpause functions were confined to internal operations, external invocation was rendered impossible.

The exploit didn't spare even Seneca's own team, as 50,000 senUSD was snatched from their address, despite being approved over a month prior but left untouched. One can't help but ponder the reasons behind this.

The theft extended to over 1,900 ETH involving various LSTs, subsequently converted to ETH and currently stashed across three addresses:

- Exploiter Address 1: 0x94641c01a4937f2c8ef930580cf396142a2942dc

- Exploiter Address 2: 0x5217c6923a4efc5bcf53d9a30ec4b0089f080ed0

- Exploiter Address 3: 0xe83b072433f025ef06b73e0caa3095133e7c5bd0

For instance, reference the attack transaction: 0x9f371267.

Seneca responded swiftly, issuing instructions for users to revoke approvals mere hours after the breach was identified. However, the damage had already been inflicted.

Shortly thereafter, a message surfaced on-chain, addressed to a Whitehat via X, imploring the return of the funds with a 20% bounty attached.

In response, the hacker relinquished 1,537 ETH to the Gnosis Safe address and distributed 300 ETH across two fresh addresses:

- Address 1: 0x0C77350C4BDe539FfCee261A149dbc6e6afDA517

- Address 2: 0xa07c64E55F52AAf5c361321CF01b316eCbddB5A9

They've announced intentions to release a post-mortem once all pertinent data is amassed.

Interestingly, the attacker's address had lain dormant for five months after being funded via FixedFloat, only springing to life shortly before executing the onslaught on Seneca.

For those keen on tracing the money trail, further investigation is warranted.

For those keen on tracing the money trail, follow the flow of funds

Subscribe to WAGMI

Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter

The signs of impending trouble were glaring to many in the Web3 security community, yet Seneca remained obstinately heedless. While alarms rang out from various quarters, Seneca projected an aura of invincibility, extolling their battle-tested (read: forked) code.

A now-deleted tweet from a team member exemplified this hubris, boasting of their flawless code while disparaging Sherlock in the same breath.

Adding to the murkiness, Seneca's disavowal of legal liability adds a dubious flourish to this debacle.

The fine line between confidence and obliviousness was trampled as Seneca careened headlong into the latter.

Perhaps their efforts would have been better spent fortifying their code rather than peddling a defective project. In the realm of code security, the mantra "the more eyes, the better" holds true. Additional audits, contests, and security reviews could have potentially averted this catastrophe.

While the worst-case scenario was averted largely due to the attacker's partial restitution, the entire ordeal could have been preempted. Seneca's reluctance to incentivize white hat hackers to stress-test their code left them vulnerable to such exploits.

But in light of Seneca's mishandling of the situation, one can hardly fault those who feel compelled to take matters into their own hands.