Concentric, a liquidity manager app, was exploited on Arbitrum, according to the protocol’s official X account. The attacker gained access to the deployer account’s private key through a “social engineering attack,” which was subsequently used to “upgrade the vaults, mint new LP tokens, and subsequently drain the vaults of their assets,” according to the team.
Concentric is urging users to revoke approvals for all vault addresses listed in the protocol’s documents.
According to blockchain security platform CertiK, the attack has cost more than $1.8 million. The attacking wallet is “linked to” the wallet that executed the December 13 OKX decentralized exchange exploit, claims CertiK. This implies that both attacks could have been carried out by the same person or group.
The exploiter wallet invoked the Concentric contract’s adminMint function, resulting in the creation of 0.001 CONE-1 tokens. They then called “burn” to exchange the CONE-1 tokens for AlgebraPool funds. This process was repeated several times, allowing the attacker to obtain multiple ERC-20 tokens that were later swapped for Ether.
The Concentric team stated that they have initiated an investigation and will release a post-mortem report as soon as possible. The team will outline a strategy for addressing the vulnerability in their report. “Our team is fully committed to resolving this issue and restoring the integrity of the Concentric protocol,” Concentric stated in a statement.
In a decentralized exchange, liquidity management protocols are used to set minimum and maximum prices, as well as rebalance liquidity pools. They gained popularity after Uniswap introduced its “concentrated liquidity” feature in 2021, which allowed liquidity providers to specify a minimum and maximum price at which their assets could be traded. This complicates liquidity provision, prompting some users to use management protocols to manage their assets.
Another liquidity manager, Gamma Protocol, was attacked on January 4 and drained nearly $500,000 due to a smart contract vulnerability. The two attacks used different methods and did not appear to be related.
