Today, the Web3 cybersecurity team CertiK reported an update regarding the recent exploit affecting Seneca, an omnichain collateralized debt position (CDP) protocol.
The hack occurred less than 24 hours ago, initially resulting in a loss of $3 million. However, cybersecurity specialists soon identified a greater loss of funds, amounting to $6.4 million. Fortunately for the Seneca protocol, the hacker, whom the project’s team politely referred to as a "white hat," decided to return $5.3 million while keeping a 20% bounty offered by Seneca as a reward for their "white hat efforts."
Read also: Remote Seizure of Cryptocurrency Assets Sets Precedent in Taiwan's Judicial History
According to CertiK, the vulnerable contracts contained a function called performOperations, which was callable from external sources and lacked proper input validation. Within this function, an "if" statement was used to determine the actions to be taken.
This allowed the actor to design specific calldata that triggered the condition "action" equals "Constants.OPERATION_CALL," enabling the execution of calls to any contract with arbitrary data. Furthermore, the individual behind the incident took advantage of assets transferred from addresses that had previously granted approvals to the vulnerable contracts, redirecting them to their own account.
"The Seneca exploiter has now returned 1,537 ETH (nearly $5.3m) to the project," CertiK informed the crypto community on X in its recent post, adding that "The exploiter kept 300 ETH which was split into two new wallets."
Soon after the exploit, a smart contract security researcher with the nickname Ddimitrov22 warned the protocol’s users of another technical issue that made it impossible to pause the protocol amid the ongoing hack.
"It cannot be paused even though it inherits the Pausable library," Ddimitrov22 posted on X, explaining that "the '_pause' and '_unpause' functions are internal, and there is no way to call them."
As per the discussion of the incident on X, the vulnerability in the Seneca protocol was earlier detected by several security researchers, including the social platform’s user Cawfree.
"Raised this months ago, tried to warn them but ended up getting blocked instead," Cawfree said. A similar situation happened to Daniel Von Fange, who claims to have been "kicked out of their [Seneca’s] Discord for trying to warn users, and they are actively deleting messages about this there."
It also appears Seneca held a public audit contest, which it decided to abandon in November, mentioning "potential code licensing issues" as a reason.
However, many security researchers who reviewed Seneca’s code found it risky to launch the project without addressing the uncovered vulnerabilities. According to some of the auditors, including pseudonymous X user Giraffe, there were at least three high vulnerabilities and four medium ones.
Read also: FBI vs LockBit Battle: No Names Revealed, Ransomware Group Restores Its Servers
"As I was reviewing the code for the Sherlock contest, I have to say that I strongly discourage you from deploying the code in its current state," one of the auditors, Shogoki, recommended the protocol to refrain from a rollout in November.
The mystery surrounding the abandoned audit contest and the hacker’s willingness to return the money to the protocol sparked a theory in the crypto community that the white hat may be an insider of the project.