Delta Prime DeFi has been exploited on Avalanche and Arbitrum for $4.75M

Delta Prime paused its protocol on both Avalanche and Arbitrum, after an exploit estimated at $4.75M. The protocol discovered a vulnerability and closed all transactions to avoid further harm. 

Delta Prime has lost assets on its Avalanche and Arbitrum versions, amounting to $4.75M in losses. This is the second attack against the protocol since a previous exposure on September 19. During the previous attack, Delta Prime lost $5.9M due to compromised wallets. The hacking activity was tied to Lazarus, the group of North Korean hackers, as tracked by ZachXBT.

The last hack was linked to compromised wallets, where the hackers controlled the private keys. This time, none of DeltaPrime’s known token holdings were compromised. However, some of the protocol’s core reward mechanisms turned out to be flawed.

As with other exploits, malicious social media links are being distributed through copycat accounts. These links lead to websites promising fund recovery or permission revocation. 

The Delta Prime protocol contained more than $35M in total value locked. In September, before the hack, the value was as high as $65M. Subsequent loss of value for PRIME and loss of trust in the protocol led to a drop in value locked. However, Delta Prime was on track to recovering its liquidity, up from a low of $22M, when this new exploit happened. 

The two hacks are separated by less than two months, and they bring to mind the case of Cosmos (ATOM). The project was infiltrated by North Korean hackers posing as developers, who were responsible for critical parts of the code. For now, Cosmos has not been exploited, but the case raised concerns about the ability of malicious actors to be aware of smart contract vulnerabilities. 

The Delta Prime hack follows a similar minor exploit where a liquidity pool was drained. Researcher Chaofan Shou noted a vulnerable smart contract allowed the hacker to drain a much larger reward, in this case, costing the unnamed protocol $500K. 

Delta Prime faced a reward exploit 

According to on-chain experts from Peckshield, this time, Delta Prime suffered an exploit of its reward smart contract. The attacker also apparently acquired administrator privileges on SmartLoansFactory, one of the side contracts that control loan creation and initial funding in one transaction. The smart contract also manages the data of loan creators, known as Borrowers Registry.

Delta Prime is a project built for leveraged farming, a risky tool to borrow and deposit funds into yield farming protocols. The protocol’s reward smart contract contained a flaw that allowed the hacker to receive rewards for a faked pair.

Analysis by Peckshield reveals the contract’s input was not verified, allowing the hacker to keep both the initial collateral and the borrowed funds. Certik tracked the actions, which included an attempt to borrow WBTC, where the hacker ended up holding both the collateral and the loan. 

The smart contract exploit happened despite Delta Prime having a complete audit by Peckshield. In total, Delta Prime completed seven independent audits, the last one in the summer of 2024.

The exploiter made away with 110 AVAX, 74 WAVAX, 860K USDC, 6.34 BTC, 49 WETH, and another 260K USDT. After the funds were sent to intermediary wallets, some were reverted back to DeFi protocols, including LFJ and Stargate liquidity farming. 

The stolen assets came from multiple drained pools, concentrating the spoils in one address. Most of the funds are on the Arbitrum chain, constrained to its DeFi landscape. The hacker has not bridged or mixed the funds. 

The hacker’s wallet is multi-chain, though other addresses only contain a small part of the funds. The main wallet continued to interact with other Arbitrum swap and DeFi protocols after the attack was noticed. All the wallets were recently created and first funded from DEX sources. The wallets have no previous activity or history before the hack. 

Some of the funds are stored on Avalanche, and they continued their movements in the hours after the attack. Most of the assets on Avalanche C-Chain were moved to other protocols, as the hacker used them to provide liquidity. 

The Avalanche or Arbitrum wallets did not contain any bridging transactions. Around $750K of the funds are contained in identified Arbitrum wallets, while Avalanche holds $2.18M. The two attacks were held separately for each chain, with a total of five identified wallets.