The Seneca lending protocol encountered an exploit via its ‘performOperations’ function, resulting in the drainage of over $6 million in collateral. Decentralized finance (DeFi) lending platform and stablecoin issuer Seneca Protocol fell victim to an exploit, as reported in a statement on the protocol’s official X account on February 28. According to findings by blockchain analytics firm CertiK, the losses from the exploit amount to $6.4 million. Seneca’s team has advised users to revoke approvals for affected contracts and is actively collaborating with security experts to investigate the vulnerability.
Seneca Protocol operates as a DeFi lending application enabling users to deposit various cryptocurrencies as collateral, which can then be utilized to mint and borrow the platform’s native stablecoin, SenecaUSD.
The exploit involved an account, ending in 42DC, transferring approximately 1,385.23 Pendleton Kelp restaked Ether (PT Kelp rsETH) from a Seneca collateral pool using the ‘performOperations’ function. Subsequently, the account exchanged these tokens for around $4 million worth of Ether (ETH) across three transactions. Following these swaps, the account moved an additional 717.04 ETH derivative tokens from various collateral pools and exchanged them for ETH.
CertiK’s analysis determined these transfers to be malicious, facilitated by a flaw in the protocol’s ‘performOperations’ function, allowing any account to call the function and specify OPERATION_CALL as the action, granting control over callData to the attacker. Consequently, the attacker was able to drain funds from collateral pools not under their ownership.
Blockchain investigator Spreek highlighted the severity of the vulnerability, advising users to revoke approvals of addresses involved in the exploit. Furthermore, security researcher ddimitrov22 identified an additional vulnerability in Seneca, preventing developers from pausing the Seneca contracts due to the presence of the ‘internal’ keyword in pause and unpause functions.
Seneca’s development team acknowledged the attack and assured ongoing investigations, pledging to provide updates promptly.
Instances of hacks and exploits continue to pose risks to Web3 users in 2024, as evidenced by the loss of $9.7 million from Axie Infinity co-founder Jeff “Jihoz” Zirlin’s personal wallets and the exploitation of DeFi protocol Blueberry for 457 ETH on the same day.