The liquid staking platform Prisma Finance has acknowledged the loss of 3257 ETH (approximately $11 million) due to an exploit on March 28. The hacker has engaged in discussions with the team regarding the return of the funds.
In collaboration with @PrismaRisk and @wavey0x, we are publishing a comprehensive post-mortem report on yesterday’s event. https://t.co/DljZSs3ssK
We are fully mobilized to retrieve users’ funds and we will keep you updated on next steps.
The most important action users can… pic.twitter.com/MUr1yqqBKX
— Prisma Finance (@PrismaFi) March 29, 2024
According to the investigation, the hacker exploited two smart contracts designed to transfer user positions from one Trove product manager to another.
“The incident was possible due to insufficient input validation in the onFlashloan function, allowing manipulation of data and unintended contract behavior,” the developers explained.
In addition to the main sum of 3257 ETH, two other users withdrew approximately 121 wstETH and 52 wstETH respectively, according to the explanation.
For security reasons, the team reminded clients to revoke asset delegation approvals.
“Beyond the return of stolen funds, Prisma’s main priority is to resume protocol operations and its revival. The most crucial step needed to end the pause is ensuring the security of all wallets and user positions,” wrote a key developer under the pseudonym Frank.
As of March 31, 14 accounts with open approvals remained at risk of losing funds, with five wallets “at risk” of assets worth approximately $500,000.
Frank proposed to the Prisma community a temporary reduction in fee distribution shares to 50% instead of 100%, aiming to accumulate funds for platform recovery. He acknowledged that the timeline for resolving the situation remains uncertain.
Hacker Claims ‘White Hat’ Status but Sets Conditions
Meanwhile, the Prisma hacker immediately engaged in dialogue with the team after the incident, offering to return the withdrawn assets.
However, he first requested answers to several questions regarding the developers’ understanding of smart contract concepts, the necessity of audits, and their responsibilities in incidents like this one.
Prisma admitted that part of the latest update’s code had not been reviewed by external experts and asked the hacker to return the funds unconditionally. The hacker responded by accusing the team of insincerity and suggested the vulnerability was intentionally planted.
“Dear friends at Prisma, you have not shown goodwill! I am very disappointed with everything you have done. It was just a mandatory move! Again — you have not disclosed the three factors I asked about. Do not try to run away from your mistakes and shirk responsibilities. If it were not me, others, ‘black hats’ or someone else, could have done it,” he wrote.
One user, noting the hacker’s correspondence with the Prisma team, questioned why the community is not discussing the raised issues.
Interesting development in the Prisma events:
A/ The code concerned was not audited
B/ The hacker has demands, part of which were met
C/ The hacker has a mission/motivationA/ Why audit a migration function?
1. The exploit was on a migration function that was not part of the… pic.twitter.com/a58Zik44Nz
— tokenbrice.eth (?,?) (@TokenBrice) March 31, 2024
According to the developer known as Tokenbrice, the hacker reasonably highlighted certain aspects:
- The Prisma team initiated a user position migration to Trove, not planned in the protocol’s original deployment;
- Experienced developers did not submit part of the update code for audit, which is typically used to disclaim responsibility (mostly);
- They ignored the hacker’s de-anonymization demands, as well as his other questions.
“He seems interested in expanding the responsibility of DeFi developers: a hero we do not deserve?” the expert suggested.
As reported by PeckShield experts, the Prisma hacker began sending assets to the crypto mixer Tornado Cash, despite stating the possibility of returning them.