The Seneca lending protocol faced an exploit involving its ‘performOperations’ function, resulting in the drainage of over $6 million in collateral. According to a statement released on February 28 via the protocol’s official X account, blockchain analytics firm CertiK estimated the losses at $6.4 million. The Seneca team has advised users to revoke approvals for the impacted contracts and is collaborating with security specialists to investigate the issue.
Seneca Protocol, a decentralized finance (DeFi) lending platform and stablecoin issuer, enables users to deposit various cryptocurrencies as collateral, which can then be used to generate the protocol’s native stablecoin, SenecaUSD.
The exploit involved an account, ending in 42DC, transferring Pendleton Kelp restaked Ether (PT Kelp rsETH) from a Seneca collateral pool using the ‘performOperations’ function. Subsequently, the account exchanged these tokens for approximately $4 million worth of Ether (ETH) across three transactions. The attacker then transferred an additional 717.04 ETH derivative tokens from various collateral pools and exchanged them for ETH.
CertiK identified the transfers as malicious, attributing them to a flaw in the protocol’s ‘performOperations’ function. This flaw allows any account to call the function with the action of OPERATION_CALL, enabling the attacker to execute external calls to any address, leading to the unauthorized draining of funds from the collateral pool.
Blockchain investigator Spreek warned users about the exploit’s critical vulnerability and recommended revoking approvals of the addresses involved. Additionally, security researcher ddimitrov22 highlighted an additional vulnerability in Seneca, which prevents developers from pausing the contracts due to the ‘internal’ keyword in the pause and unpause functions.
The Seneca development team is actively investigating the attack and plans to provide an update shortly.
Despite efforts to enhance security, hacks and exploits continue to pose threats to Web3 users in 2024. Notably, on February 23, Axie Infinity co-founder Jeff “Jihoz” Zirlin lost $9.7 million from a hack of his personal wallets, while the DeFi protocol Blueberry was exploited for 457 ETH on the same day.