Stablecoin Protocol Seneca has given a 20% prize to the attacker who acquired access to at least $6.4 million in digital assets by exploiting an approval mechanism flaw in the protocol’s smart contract.
On February 28, various blockchain security organizations reported an exploit on the stablecoin protocol. CertiK and other companies informed users about the attack, asking them to revoke approvals from addresses on the Ethereum and Arbitrum networks. The first estimate of the losses was $3 million. However, it was later discovered that more than 1,900 Ether (ETH) worth $3,468 were taken from the exploit, totaling approximately $6.4 million.
CertiK security analysts explained that the exploit took advantage of a critical “call” vulnerability in the protocol’s smart contract. This vulnerability enabled the attacker to make external calls to any address.
In addition, the project’s contracts lacked a code that allowed the team to “pause” them. As a result, users must revoke permissions.
Seneca stated that it is working with specialists to determine what happened. It also offered a $1.2 million reward for the recovery of the stolen funds. Seneca requested in an on-chain message on February 29 that the hacker return 80% of the stolen funds to an Ethereum address while keeping the remaining 20%.
Seneca stated in the notification that it is working with security providers and law enforcement to trace the payments. It encouraged the hacker to return the money to avoid legal ramifications. “Acting promptly is crucial, so we kindly request that you return the funds as soon as possible to avoid any further legal action,” the statement wrote.
Hours after Seneca’s statement, the hacker returned approximately 1,537 ETH, worth approximately $5.3 million, to the wallet address Seneca provided. The exploiter kept 300 ETH, which is worth almost $1 million, and accepted Seneca’s 20% incentive. The exploiter then moved the ETH to two separate locations.
