Yesterday, Concentric, an Arbitrum-based decentralized exchange liquidity aggregator, experienced a social engineering attack targeting the deployer wallet. The incident resulted in a loss of nearly $1.7 million.
Despite having audited vaults, the protocol was vulnerable due to the upgradability of these vaults, as explained by the Concentric team in their post on X. The team stated, "The attacker leveraged this feature to upgrade the vaults, mint new LP tokens, and subsequently drain the vaults of their assets."
Cybersecurity firm Beosin provided further details about the hack.
According to Beosin, the perpetrator took control of the implementation contract of the CONE-1 proxy contract. Specifically, they replaced the original ConeCamelotVault contract with a contract controlled by the attacker. Moreover, the attacker added an admin (0x105f52fcC329cEF4CBe25BC946f8a3738414E4A1) to the adminMint() function, allowing them to mint a significant amount of LP (Liquidity Provider) tokens.
"There's also an approval bug in one of the affected contracts, in which users who had approved to spend their tokens saw their assets being drained from the contract," in its detailed study of the exploit, on-chain security firm Neptune Mutual has revealed another vulnerability.
Neptune Mutual urged users who had granted token approvals to the affected contracts to promptly revoke these approvals to limit potential risks and unauthorized transactions.
Among the preventative measures that can save cryptocurrency users from such incidents, Neptune Mutual mentioned the implementation of a multi-signature wallet for administrative control of upgradeable contracts, which can significantly reduce the risk of a single point of failure. The introduction of a time lock for contract upgrades, which gives more time for thorough validation before activation, is also useful.
"Transitioning from storing private keys in a single, online environment to incorporating hardware security modules (HSMs) offers a more secure storage solution, greatly reducing the risk of key compromises," Neptune Mutual added in its report, stressing the significance of adopting a multi-signature wallet system, which can decrease the risk of unauthorized access by the stringent requirement for multiple confirmations for transactions.
In response to the attack, Concentric has engaged with security researchers to thoroughly analyze the breach, identify the exploited vulnerabilities, and implement measures to prevent any future damage. The Concentric team expressed its commitment to transparency and stated that it "is exploring all possible options to mitigate the losses and safeguard the community's interests."
While the incident underscores the ongoing risk posed by social engineering tactics within the Web3 ecosystem, the details on the social engineering attack itself, which made the exploit possible, have not been revealed yet.