Delta Prime Suffer Another Exploit
Blockchain-based borrow and lending platform Delta Prime has suffered its second exploit in two months, according to multiple crypto security and research firms. Approximately $5 million worth of crypto assets have been drained from Delta implementations on Layer 1 blockchain Avalanche and Ethereum scaling platform Arbitrum.
The news follows a previous attack in mid-September that resulted in losses of around $6 million, caused when an administrator lost control of private keys, pushing total losses above $10 million. This earlier attack specifically impacted Delta's Arbitrum deployment.
> “DeltaPrime is currently paused due to an attack on the Saving pools,” the company announced on its website, sharing updates on Discord.
>
> “With the protocol being paused on both chains, the risk is contained. We will provide updates asap,” the firm posted on X at 4:04 a.m. EST.
Crypto security firm Fuzzland reported that about five hours before the announcement, an unidentified hacker exploited a “code logic error” in the “claimRewards” contract used for token payouts.
The flaw allowed the attacker to pass in a custom contract address, controlling how much reward is sent by the victim contract.
Publicqi, a Fuzzland researcher, emphasized that the two attacks do not appear connected, as one involved a stolen private key while the other exploited a publicly accessible bug.
> “For DeFi protocols that are related to funds or have TVLs, they should be extremely careful and serious about the code, especially parts where transfer is possible. An audit is not a 100% guarantee of safety,” Publicqi advised.
According to DeFi syndicate yieldsandmore, the alleged attacker seems to be an experienced serial exploiter, previously involved in attacks as recently as June. They may have reinvested some stolen funds into wrapped bitcoin on Arbitrum.
Most of the stolen funds came from Delta Prime's Avalanche deployment. The PRIME token has a fully diluted valuation of over $51 million. The protocol's total value locked is around $32 million, a significant drop from over $70 million before the September exploit.
Comments (0)