{"id":12168,"date":"2024-04-01T13:48:04","date_gmt":"2024-04-01T10:48:04","guid":{"rendered":"https:\/\/forklog.com\/en\/hacker-labels-11-million-prisma-breach-as-white-hat-but-funds-remain-unreturned\/"},"modified":"2024-04-01T13:48:04","modified_gmt":"2024-04-01T10:48:04","slug":"hacker-labels-11-million-prisma-breach-as-white-hat-but-funds-remain-unreturned","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hacker-labels-11-million-prisma-breach-as-white-hat-but-funds-remain-unreturned\/","title":{"rendered":"Hacker Labels $11 Million Prisma Breach as &#8216;White Hat&#8217; but Funds Remain Unreturned"},"content":{"rendered":"<p>The liquid staking platform Prisma Finance has acknowledged the loss of 3257 ETH (approximately $11 million) due to an <a href=\"https:\/\/forklog.com\/en\/news\/prisma-defi-protocol-faces-11-million-exploit\">exploit on March 28<\/a>. The hacker has engaged in discussions with the team regarding the return of the funds.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">In collaboration with <a href=\"https:\/\/twitter.com\/PrismaRisk?ref_src=twsrc%5Etfw\">@PrismaRisk<\/a> and <a href=\"https:\/\/twitter.com\/wavey0x?ref_src=twsrc%5Etfw\">@wavey0x<\/a>, we are publishing a comprehensive post-mortem report on yesterday&#8217;s event. <a href=\"https:\/\/t.co\/DljZSs3ssK\">https:\/\/t.co\/DljZSs3ssK<\/a><\/p>\n<p>We are fully mobilized to retrieve users&#8217; funds and we will keep you updated on next steps.<\/p>\n<p>The most important action users can\u2026 <a href=\"https:\/\/t.co\/MUr1yqqBKX\">pic.twitter.com\/MUr1yqqBKX<\/a><\/p>\n<p>\u2014 Prisma Finance (@PrismaFi) <a href=\"https:\/\/twitter.com\/PrismaFi\/status\/1773726224952480049?ref_src=twsrc%5Etfw\">March 29, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to the investigation, the hacker exploited two smart contracts designed to transfer user positions from one Trove product manager to another.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe incident was possible due to insufficient input validation in the onFlashloan function, allowing manipulation of data and unintended contract behavior,\u201d the developers explained.<\/p>\n<\/blockquote>\n<p>In addition to the main sum of 3257 ETH, two other users withdrew approximately 121 wstETH and 52 wstETH respectively, according to the explanation.<\/p>\n<p>For security reasons, the team reminded clients to revoke asset delegation approvals.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cBeyond the return of stolen funds, Prisma&#8217;s main priority is to resume protocol operations and its revival. The most crucial step needed to end the pause is ensuring the security of all wallets and user positions,\u201d <a href=\"https:\/\/gov.prismafinance.com\/t\/a-path-forward-after-the-security-incident\/157\">wrote<\/a> a key developer under the pseudonym Frank.<\/p>\n<\/blockquote>\n<p>As of March 31, 14 accounts with open approvals remained at risk of losing funds, with five wallets \u201cat risk\u201d of assets worth approximately $500,000.<\/p>\n<p>Frank proposed to the Prisma community a temporary reduction in fee distribution shares to 50% instead of 100%, aiming to accumulate funds for platform recovery. He acknowledged that the timeline for resolving the situation remains uncertain.<\/p>\n<h2 class=\"wp-block-heading\">Hacker Claims &#8216;White Hat&#8217; Status but Sets Conditions<\/h2>\n<p>Meanwhile, the Prisma hacker immediately <a href=\"https:\/\/etherscan.io\/idm?addresses=0x2d413803a6ec3cb1ed1a93bf90608f63b157507a%2c0xd8531a94100f15af7521a7b6e724ac4959e0a025&#038;type=1\">engaged in dialogue<\/a> with the team after the incident, offering to return the withdrawn assets.<\/p>\n<p>However, he first requested answers to several questions regarding the developers&#8217; understanding of smart contract concepts, the necessity of audits, and their responsibilities in incidents like this one.<\/p>\n<p>Prisma admitted that part of the latest update&#8217;s code had not been reviewed by external experts and asked the hacker to return the funds unconditionally. The hacker responded by accusing the team of insincerity and suggested the vulnerability was intentionally planted.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cDear friends at Prisma, you have not shown goodwill! I am very disappointed with everything you have done. It was just a mandatory move! Again \u2014 you have not disclosed the three factors I asked about. Do not try to run away from your mistakes and shirk responsibilities. If it were not me, others, &#8216;black hats&#8217; or someone else, could have done it,\u201d he wrote.<\/p>\n<\/blockquote>\n<p>One user, noting the hacker&#8217;s correspondence with the Prisma team, questioned why the community is not discussing the raised issues.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">Interesting development in the Prisma events:<\/p>\n<p>A\/ The code concerned was not audited<br \/>B\/ The hacker has demands, part of which were met<br \/>C\/ The hacker has a mission\/motivation<\/p>\n<p>A\/ Why audit a migration function?<\/p>\n<p>1. The exploit was on a migration function that was not part of the\u2026 <a href=\"https:\/\/t.co\/a58Zik44Nz\">pic.twitter.com\/a58Zik44Nz<\/a><\/p>\n<p>\u2014 tokenbrice.eth (?,?) (@TokenBrice) <a href=\"https:\/\/twitter.com\/TokenBrice\/status\/1774307783271141840?ref_src=twsrc%5Etfw\">March 31, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to the developer known as Tokenbrice, the hacker reasonably highlighted certain aspects:<\/p>\n<ul class=\"wp-block-list\">\n<li>The Prisma team initiated a user position migration to Trove, not planned in the protocol&#8217;s original deployment;<\/li>\n<li>Experienced developers did not submit part of the update code for audit, which is typically used to disclaim responsibility (mostly);<\/li>\n<li>They ignored the hacker&#8217;s de-anonymization demands, as well as his other questions.<\/li>\n<\/ul>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cHe seems interested in expanding the responsibility of DeFi developers: a hero we do not deserve?\u201d the expert suggested.<\/p>\n<\/blockquote>\n<p>As reported by PeckShield experts, the Prisma hacker began sending assets to the crypto mixer Tornado Cash, despite stating the possibility of returning them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The liquid staking platform Prisma Finance has acknowledged the loss of 3257 ETH (approximately $11 million) due to an exploit on March 28. The hacker has engaged in discussions with the team regarding the return of the funds. In collaboration with @PrismaRisk and @wavey0x, we are publishing a comprehensive post-mortem report on yesterday&#8217;s event. https:\/\/t.co\/DljZSs3ssK [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":12167,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1093,1150,1195],"class_list":["post-12168","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-defi","tag-news-plus","tag-white-hat-hackers"],"aioseo_notices":[],"amp_enabled":true,"views":"23","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/12168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=12168"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/12168\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/12167"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=12168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=12168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=12168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}