Delta Prime Exploited, $6M Stolen Amid Private Key Breach

On 16th September 2024, decentralised finance (DeFi) protocol Delta Prime experienced a significant security breach, resulting in the loss of $6 million. The attack was carried out on the platform’s Arbitrum deployment, while the Avalanche version remained unaffected. Delta Prime confirmed that the breach occurred due to the compromise of a private key, allowing the attacker to mint massive amounts of deposit receipts and subsequently drain the funds.

DeltaPrime Blue exploited, this is the current status:

At 6:14 AM CET DeltaPrime Blue (Arbitrum) was attacked and drained for $5.98M. This was due to a compromised private key, the source of which is currently under investigation.

DeltaPrime Red (Avalanche) is not vulnerable…

— DeltaPrime (@DeltaPrimeDefi) September 16, 2024

The exploit was discovered at 6:14 AM CET, and Delta Prime promptly acknowledged the attack on social media. According to a statement from the company, the attacker managed to drain $5.98 million, citing, “The risk is contained, and we are working on asset retrieval. The insurance pool will cover potential losses where possible.”

Details of the Exploit

The attacker used a sophisticated method to manipulate Delta Prime’s contracts. Blockchain data revealed that the hacker gained control over an administrative account ending in “b1afb.” By exploiting this account, they redirected proxy contracts to a malicious implementation, which allowed them to mint an arbitrarily large number of deposit receipt tokens. These tokens, such as Delta Prime USD (DPUSDC), are intended to represent assets in the protocol, redeemable for USDC stablecoins at a 1:1 ratio.

$6M drained now ;0

— Chaofan Shou (@shoucccc) September 16, 2024

In total, the attacker minted over 115 duovigintillion DPUSDC tokens. Despite the enormous figure, the attacker only burned a portion, receiving $2.4 million in USDC. Similar tactics were applied to other deposit receipt tokens, including Wrapped Bitcoin (DPBTCb) and Wrapped Ether (DPWETH), resulting in the theft of various assets, including Bitcoin, Ether, and Arbitrum tokens. Blockchain security specialist Chaofan Shou estimated the total stolen assets to be around $6 million.

Containment and Response

Delta Prime has been quick to reassure its users that the damage is limited to the Arbitrum deployment. They emphasised that Delta Prime Red, the Avalanche variant, is not vulnerable to similar attacks due to the use of multi-signature wallets and cold storage. “DeltaPrime Red (Avalanche) is not vulnerable to this attack,” the company stated. However, users on Arbitrum are unable to withdraw funds due to the platform’s utilisation of borrowing and lending pools, further complicating the situation.

🚨UPDATE🚨@DeltaPrimeDefi hacker has bridged all stolen funds to #ETH chain and deposited to @TornadoCash at https://t.co/zzzoA66JDd

Want to keep your company off our alerts radar? Learn how to secure your assets: Book a Demo 🚀 https://t.co/uUbFkFTp4h#CyversAlert https://t.co/yOmNZJyp5l pic.twitter.com/ZAFFBPJ44m

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) September 17, 2024

Security firm Cyvers confirmed the breach, stating that multiple suspicious transactions had been detected involving Delta Prime’s liquidity pools. The affected tokens include DPUSDC, DPBTCb, and DPARB. Delta Prime’s native PRIME tokens have also dropped 6.5% in value, reflecting broader market trends.

Broader Implications for DeFi Security

This attack underscores the risks associated with upgradable smart contracts, a controversial topic in the DeFi space. While upgradeability allows developers to address bugs and improve functionality, it also introduces vulnerabilities. “Theoretically, an attacker should need to steal the private keys of every user to drain the entire protocol,” noted an expert on blockchain security. However, when a single private key can compromise an admin account, the entire protocol becomes susceptible, as was the case with Delta Prime.

The breach is a reminder of the balance that DeFi projects must strike between security and functionality. In light of recent exploits in the sector, including the $27 million attack on Penpie earlier this month, security remains a top priority for DeFi developers and investors alike.

Conclusion

Delta Prime’s $6 million exploit highlights the fragility of DeFi platforms in the face of private key leaks and smart contract vulnerabilities. As investigations continue and the team works on asset recovery, the incident serves as a cautionary tale for developers and users alike. The platform’s quick response and assurances regarding its insurance pool are steps towards mitigating user losses, but the event underscores the urgent need for heightened security in the fast-evolving world of decentralised finance.