Decoding DeltaPrimeDefi’s $4.75 Million Exploit
Overview
On November 11th, 2024, DeltaPrime suffered a second significant exploit just two months after losing $6 million due to a private key breach.
This time, an unchecked input validation flaw in their periphery adaptor contract led to a $4.85 million loss across the Arbitrum and Avalanche chains. The attacker exploited the protocol’s vulnerabilities with a flash loan on Arbitrum, draining $753K, followed by a more significant $4.1M exploit on Avalanche, using similar techniques. Notably, the attacker reinvested the stolen funds into yield farming operations across multiple protocols, demonstrating a calculated approach.
About Project
DeltaPrime is a trustless borrowing platform on Avalanche and Arbitrum. Depositors can lend out funds by depositing an asset into one of the liquidity pools (eg. $AVAX or $ARB).
Borrowers can then borrow these assets for which they pay interest. The interest rate is dependent on supply and demand of that asset.
Exploit Details
Arbitrum Details: Attacker address: 0xb8788, 0x56e7f, Attacker contract address: 0x0B2Bcf06F740C322BC7276b6b90dE08812cE9bfE
Avalanche Details: Attacker address: 0xd3d53, 0xd538 Attack Transaction: 0xece4e
Attack Process
The attacker initiated a flash loan of 59.9 ETH, which was used as collateral within the DeltaPrime protocol to borrow additional assets.
The _repayAmount
parameter in the swapDebtParaSwap
function lacked validation before being passed to the swap adapter contract.
Using this flaw, the attacker borrowed 1.18 WBTC using the 59.9 ETH as collateral and redirected the borrowed WBTC instead of repaying the loan.
The DeltaPrime protocol failed to verify whether the borrowed amount was actually repaid.
This allowed the attacker to retain both the collateral (59.9 ETH) and the borrowed WBTC.
The attacker targeted the TraderJoeV2Facet contract, where the claimReward
function allows users to claim rewards.
The pair
parameter, crucial for identifying reward eligibility, lacked proper validation.
The attacker passed their malicious contract address as the pair
parameter.
The malicious contract was designed to wrap the attacker’s ETH collateral into WETH and to manipulate DeltaPrime’s internal balances to make the protocol believe the attacker was entitled to a 59.9 ETH reward.
The protocol, unaware of the manipulation, incorrectly transferred 59.9 ETH as a reward to the attacker.
The same vulnerabilities in swapDebtParaSwap
and claimReward
were exploited on DeltaPrime’s Avalanche deployment.
Instead of laundering the stolen funds, the attacker reinvested them in various DeFi protocols to generate passive income:
- $600K staked in Stargate (USDC).
- $518K added as liquidity (USDC/USDT) on LFJ.
- 4,865 AVAX, 49.68 WETH.e, and 6.34 BTC.b diversified and staked.
The Root Cause
The root cause of the DeltaPrime exploit lies in two critical vulnerabilities. First, the swapDebtParaSwap
function failed to validate the _repayAmount
, allowing the attacker to redirect borrowed assets (e.g., WBTC) to their malicious contract without triggering a repayment.
Second, the claimReward
function did not validate the pair
parameter, enabling the attacker to pass a malicious contract that manipulated internal balances and tricked the protocol into paying out excessive rewards.
Flow of Funds
The above vulnerabilities allowed the attacker to bypass repayment checks, drain collateral, and claim unearned rewards, ultimately resulting in a loss of approximately $4.75M.
Post Exploit Scenes
Here is how M2 responded to the exploit in their official X account
How could they have prevented the Exploit?
- Validate all user inputs, such as
_repayAmount
in theswapDebtParaSwap
function and thepair
parameter in theclaimReward
function. - Ensure borrowed amounts are checked against collateral and system rules to prevent manipulation of loan and reward mechanics.
- Avoid arbitrary contract calls and enforce restrictions on external contract addresses, especially in critical functions like
claimReward
. - Collaborate with reputable auditors like QuillAudits to analyse smart contracts and identify vulnerabilities.
Why QuillAudits?
Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.