• Blockbasis
  • Posts
  • PrismaFi: The $11.6 Million Flash Loan Heist

PrismaFi: The $11.6 Million Flash Loan Heist

Unveiling the PrismaFi Exploit: Navigating the First Attack on a Restaking Protocol and the Implications for DeFi Security in an Era of Emerging Threats and Rapid Innovation


In a shocking twist, PrismaFi, the 'end game' of liquid restaking, was played by a cunning flash loan attack, losing $11.6 million. This first-ever exploit on a restaking protocol now casts a shadow over DeFi's latest trend, leaving everyone to question—are our digital fortunes safe?

Make Sure This Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

PrismaFi, touted as the ultimate destination for liquid restaking, has found itself ensnared in the web of exploitation, becoming the first victim among restaking platforms.

The platform suffered a staggering blow of 3258 wstETH tokens, equivalent to approximately $11.6 million, in a flash loan attack.

The swift detection of the exploit by Cyvers on March 28th prompted immediate action from PrismaFi, prompting a thorough examination of their TroveManager contract.

PrismaFi promptly responded, notifying the community of a pause in protocol operations by core engineering contributors for investigation.

Subsequently, vault owners were instructed to disable delegate approvals.

Approximately four hours later, PrismaFi announced the successful pausing of the protocol by the emergency multisig, reassuring stakeholders of the safety of remaining funds. Additionally, they affirmed the stability of mkUSD and ULTRA stablecoins, citing overcollateralization as a safeguard.

The discovery of a copy-cat exploit by Decurity, though not yet utilized, underscores the escalating threats amidst a burgeoning market awakening from its prolonged slumber.

Despite its origins as a fork of the Liquity Protocol with code alterations, Liquity contends that the exploit encountered by PrismaFi is not reproducible within its framework.

Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.

ExVul's investigation pinpoints the root cause of the exploit to a vulnerability residing within the MigrateTroveZap contract. Tasked with automating the migration process between varying Trove Manager versions for identical collaterals, this contract served as the entry point for the attack.

The critical flaw lay within the onFlashloan() function of the contract, where a deficiency in input validation protocols permitted the attacker to tamper with input data. Leveraging this loophole, the attacker gained unfettered access to execute the closeTrove and openTrove functions on any address, irrespective of ownership, paving the way for the exploitation.

During the exploit transaction, the attacker directed their focus towards a particular address, initiating the closure of its trove. Consequently, this action led to the refunding of 1745 wstETH to the MigrateTroveZap contract.

Following the closure of the trove, the attacker proceeded to establish a new one, expending 463 wstETH in the process.

Following the execution of the onFlashloan callback, approximately 1282 wstETH lingered within the MigrateTroveZap contract. Seizing this opportunity, the attacker established their trove and invoked MigrateTroveZap to facilitate its migration, utilizing the remaining 1282 wstETH for their trove's benefit. Subsequently, upon concluding the process, the attacker swiftly closed the trove and extracted the profits accrued from the exploit.

The exploiter managed to amass $11.6 million through multiple successful attacks, utilizing the following details:

- Attacker Contract: 0xD996073019c74B2fB94eAD236e32032405bC027c

- Attacker Address: 0x7E39E3B3ff7ADef2613d5Cc49558EAB74B9a4202

- Attack Transaction: 0x00c503b595946bccaea3d58025b5f9b3726177bbdc9674e634244135282116c7

The funds were subsequently transferred to the following addresses:

- 0x5d0064f3B54C8899Ab797445551058Be460C03C6

- 0x57f7033F84894770F876bf64772E7EBA48990D65

- 0x2d413803a6eC3Cb1ed1a93BF90608f63b157507a

Remarkably, one of the recipient addresses left a message indicating a "white hat rescue," suggesting a potential intention to return the funds.

Nick Franklin's observation revealed that an address approved the MigrateTroveZap contract for migration five days before the attack. This prompts questions regarding the possibility of prevention measures.

PrismaFi's subsequent actions include plans for a Post-Mortem and efforts to recover funds, though no specific timeline has been disclosed.

Despite undergoing three audits by MixBytes, Nomoi, and Zellic, the recent migration of the MigrateTroveZap contract raises concerns about its audit status. With a history of audits, the oversight regarding this specific contract suggests a potential gap in PrismaFi's due diligence.

In light of these developments, the question arises: Did PrismaFi adequately fulfill its due diligence obligations?

Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter

In the realm of DeFi, where the stakes are high, even the so-called "end game" can become a game itself.

The recent exploit on PrismaFi represents the inaugural assault on a restaking protocol, potentially heralding a wave of similar incidents in the future.

Yet, a subplot remains unresolved: the looming threat of a copy-cat exploit, lurking in the shadows, waiting to be unleashed. Could this be a harbinger of things to come?

As restaking platforms garner increasing attention, the DeFi community must remain vigilant, placing security at the forefront and diligently warding off emerging threats.

The PrismaFi debacle serves as yet another cautionary tale, underscoring the fact that rapid growth and heightened anticipation can attract both malicious actors and self-proclaimed guardians seeking to capitalize on vulnerabilities.

While innovation often springs from experimentation, conducting live trials with real assets, rather than exhaustive testing in controlled environments, can prove perilous.

As we push the boundaries of innovation, are we, perhaps, gambling too recklessly with the security of users' funds?

The question remains: Will we heed the lessons of our past mistakes, or continue to play a perilous game of digital roulette with our fortunes?