The smart contract of the Seneca omnichain protocol on Ethereum was breached by hackers, resulting in the loss of over 1900 ETH (~$6.5 million), according to analysts at Beosin.
?@SenecaUSD exploited for 1,900 $ETH (worth ~$6.5M).
The attacker used constructed calldata parameters to call transferfrom and transfer tokens that were approved to the project’s contracts to the attacker’s address.
The stolen funds are now held across 3 addresses.
Revoke… https://t.co/M1BwoU5jn4 pic.twitter.com/sKg56m9lVl
— Beosin Alert (@BeosinAlert) February 29, 2024
Earlier, a user on X known as Spreek identified a critical approval vulnerability in the protocol, allowing for an open external call function.
Looks like Seneca Protocol has a critical approval exploit (open external call). $3m+ lost so far across eth/arb pic.twitter.com/MkbNShtPUm
— Spreek (Denver 28th-5th) (@spreekaway) February 28, 2024
Researchers at SlowMist also issued a warning about the issue.
?SlowMist Security Alert ?
Looks like @SenecaUSD is being exploited due to an open external call vulnerability, please revoke approvals for the following addresses ASAP!!!
ETH: 0xBC83F2711D0749D7454e4A9D53d8594DF0377c05
ARB: 0x2d99E1116E73110B88C468189aa6AF8Bb4675ec9 pic.twitter.com/GbmxLXTtdH— SlowMist (@SlowMist_Team) February 28, 2024
Beosin believes the attackers used carefully constructed calldata parameters to invoke the Transferfrom function. This allowed them to transfer authorized tokens from the project’s contract to their own addresses, subsequently converting them into ETH.
The funds were moved to three wallets.
The Seneca protocol team is investigating the incident. Users are advised to revoke approvals for several addresses in the Ethereum and Arbitrum networks, as published by the developers.
We are actively working with security specialists to investigate the approval bug found today.
In the meantime, REVOKE approvals for the following addresses:#Ethereum
PT-ezETH 0x529eBB6D157dFE5AE2AA7199a6f9E0e9830E6Dc1
apxETH 0xD837321Fc7fabA9af2f37EFFA08d4973A9BaCe34…— Seneca (@SenecaUSD) February 28, 2024
The project also appealed to the hacker for the return of the funds, offering 20% of the stolen amount as a reward and cessation of further pursuit.
Dear Whitehat,
Please return the funds to the following Ethereum wallet address: 0xb7aF0Aa318706D94469d8d851015F9Aa12D9c53a
We are collaborating with third-party security providers and law enforcement to trace the funds and identify recipient wallets. Acting promptly is… pic.twitter.com/syIQQXHJSQ
— Seneca (@SenecaUSD) February 29, 2024
The hacker returned 1537 ETH (~$5.3 million) to the wallet specified by the Seneca team, as reported by PeckShield experts.
#PeckShieldAlert @SenecaUSD hacker-labeled address has returned 1,537 $ETH (worth ~$5.3m) to #Seneca: Deployer address & transferred 300 $ETH (~$1.04m) to 2 new addresses pic.twitter.com/hNOFMr1aTk
— PeckShieldAlert (@PeckShieldAlert) February 29, 2024
As a reward, the hacker retained the agreed 20% of the amount — 300 ETH ($1 million). These assets were transferred to two new wallets.
At the time of writing, the price of the SEN token has fallen by 52% to $0.04254, according to CoinGecko.
Back in February 23, the DeFi protocol Blueberry suspended operations due to an exploit.