On 16 September, blockchain security firm Cyvers reported on X (formerly known as Twitter), a $6 million exploit in DeltaPrime, a decentralised finance (DeFi) protocol on the Arbitrum network.
Initially, the attacker drained $4.5 million, but continued to exploit the system, ultimately stealing more funds.
The firm's CTO, Meir Dolev, explained:
“[The] hacker took control of the wallet which is the admin of Delta Prime proxy contacts, later on, upgraded these contracts to point to his malicious contract this enabled the hacker to drain Delta Prime pools on Arbitrum chain.”
Cyvers identified several suspicious transactions linked to DeltaPrime on the Arbitrum chain.
The breach occurred when the protocol’s administrator lost control of a private key, granting the hacker access to update the proxy smart contract and execute the attack.
Key liquidity pools, including DPUSDC, DPARB, and DPBTCb, suffered significant losses as a result.
Chaofan Shou, founder of security firm Fuzzland, initially pointed out on X that the losses amount to $7 million.
Shou ultimately concluded that $6 million was lost.
DeltaPrime expressed the loss was $5.98 million but Cyvers latest post listed the loss as $5.93 million instead.
Cyvers reported that the address linked to the DeltaPrime hack has started converting stolen USDC tokens into Ethereum (ETH).
The attacker exploited the DeFi protocol by minting an enormous number of deposit receipt tokens, ultimately draining over $6 million.
According to data from Arbiscan, the hacker minted more than 115 duovigintillion DPUSDC tokens—an astronomical figure in scientific notation—though only redeemed 2.4 million for USDC, receiving $2.4 million.
The process was repeated with other tokens, including DPBTCb, DPWETH, and DPARB, allowing the attacker to collect over $1 million in Bitcoin, Ether, Arbitrum (ARB), and other assets.
The breach was enabled when the hacker gained control of an admin account, likely by compromising the developer's private key.
This allowed the attacker to call the "upgrade" function on DeltaPrime's liquidity pool contracts, redirecting each contract's proxy to a malicious implementation.
By doing so, they were able to mint unlimited deposit receipt tokens and systematically drain the protocol's liquidity pools.
DeltaPrime confirmed the attack in a post on X, acknowledging that its Arbitrum deployment had been compromised, while clarifying that its operations on Avalanche remained unaffected.
The company is actively investigating the root cause of the "compromised private key" that enabled the breach.
DeltaPrime thanked users for the support and noted that funds retrieval is priority with recovery being next in line.
On-chain investigator ZachXBT raised alarms over potential links between DeltaPrime's breach and North Korean IT workers who had previously infiltrated the platform using fake identities and KYC documents.
These individuals were reportedly involved in a similar incident in August 2024.
ZachXBT revealed that he had warned DeltaPrime earlier this year about employing developers from the sanctioned nation.
While DeltaPrime claims to have since removed the flagged personnel, the connection between the recent hack and North Korean operatives remains unconfirmed.
ZachXBT's report also uncovered a pattern of fraudulent behavior, linking this breach to a broader network of malicious actors siphoning funds from DeFi projects since June 2024.
Reports suggest North Korean hackers often infiltrate crypto firms to gain insider access, using this information to execute targeted exploits.
The attackers allegedly laundered stolen assets by bridging them across multiple chains and depositing significant sums into privacy services like Tornado Cash, making it difficult to trace the stolen funds.
In this article, I propose adding a liquidity or milestone-based dimension to enhance and improve upon the existing token vesting schedule models we most commonly observe today.
JinseFinanceThe well-known cross-chain project Layerzero released a news article, encouraging users who think they are "witches" to "surrender" and also encouraging them to report other "witches" users.
JinseFinanceShiba Inu issues security warning amidst hacking incidents. Lucie advises caution on clicking links for unexpected rewards. Shib Names launch and D3 partnership bring positive developments, but vigilance essential for community safety.
Xu Lin2022 was the worst year ever for cryptocurrency theft, with $3.7 billion stolen. However, by 2023, stolen funds decreased by approximately 54.3% to $1.7 billion.
JinseFinanceThrough statistics and analysis of security incidents in the Web3.0 field over the past year, the latest trends in Web3.0 security are fully revealed.
JinseFinanceOKX, a major decentralized exchange, recently faced a hacking attempt targeting various tokens. Swift action by the development team contained the breach, with affected users set to receive compensation.
Cheng YuanThis figure was disclosed by Dunamu, the operator of Upbit, to Park Sung-jung, a member of the National Assembly's Science, Technology, Information, Broadcasting and Communication Committee today.
BrianThe hacker exploited a vulnerability in the IAVL TREE to forge a malicious withdrawal message.
Numen Cyber LabsYield-generating app Stablegains, which is facing a lawsuit that lost about $44 million worth of user funds in the Terra crash, has previously said it allocated the funds to "multiple stablecoins."
CointelegraphMany of the affected accounts noticed the fraudulent videos and deleted them from their channels within minutes of posting them.
Cointelegraph