Decoding DeltaPrimeDefi’s $4.75 Million Exploit

QuillAudits - Web3 Security 🛡️
Coinmonks
Published in
4 min readNov 20, 2024

--

Overview

On November 11th, 2024, DeltaPrime suffered a second significant exploit just two months after losing $6 million due to a private key breach.

This time, an unchecked input validation flaw in their periphery adaptor contract led to a $4.85 million loss across the Arbitrum and Avalanche chains. The attacker exploited the protocol’s vulnerabilities with a flash loan on Arbitrum, draining $753K, followed by a more significant $4.1M exploit on Avalanche, using similar techniques. Notably, the attacker reinvested the stolen funds into yield farming operations across multiple protocols, demonstrating a calculated approach.

About Project

DeltaPrime is a trustless borrowing platform on Avalanche and Arbitrum. Depositors can lend out funds by depositing an asset into one of the liquidity pools (eg. $AVAX or $ARB).

Borrowers can then borrow these assets for which they pay interest. The interest rate is dependent on supply and demand of that asset.

Exploit Details

Arbitrum Details: Attacker address: 0xb8788, 0x56e7f, Attacker contract address: 0x0B2Bcf06F740C322BC7276b6b90dE08812cE9bfE

Avalanche Details: Attacker address: 0xd3d53, 0xd538 Attack Transaction: 0xece4e

Attack Process

The attacker initiated a flash loan of 59.9 ETH, which was used as collateral within the DeltaPrime protocol to borrow additional assets.

The _repayAmount parameter in the swapDebtParaSwap function lacked validation before being passed to the swap adapter contract.

Using this flaw, the attacker borrowed 1.18 WBTC using the 59.9 ETH as collateral and redirected the borrowed WBTC instead of repaying the loan.

The DeltaPrime protocol failed to verify whether the borrowed amount was actually repaid.

This allowed the attacker to retain both the collateral (59.9 ETH) and the borrowed WBTC.

The attacker targeted the TraderJoeV2Facet contract, where the claimReward function allows users to claim rewards.

The pair parameter, crucial for identifying reward eligibility, lacked proper validation.

The attacker passed their malicious contract address as the pair parameter.

The malicious contract was designed to wrap the attacker’s ETH collateral into WETH and to manipulate DeltaPrime’s internal balances to make the protocol believe the attacker was entitled to a 59.9 ETH reward.

The protocol, unaware of the manipulation, incorrectly transferred 59.9 ETH as a reward to the attacker.

The same vulnerabilities in swapDebtParaSwap and claimReward were exploited on DeltaPrime’s Avalanche deployment.

Instead of laundering the stolen funds, the attacker reinvested them in various DeFi protocols to generate passive income:

  • $600K staked in Stargate (USDC).
  • $518K added as liquidity (USDC/USDT) on LFJ.
  • 4,865 AVAX, 49.68 WETH.e, and 6.34 BTC.b diversified and staked.

The Root Cause

The root cause of the DeltaPrime exploit lies in two critical vulnerabilities. First, the swapDebtParaSwap function failed to validate the _repayAmount, allowing the attacker to redirect borrowed assets (e.g., WBTC) to their malicious contract without triggering a repayment.

Second, the claimReward function did not validate the pair parameter, enabling the attacker to pass a malicious contract that manipulated internal balances and tricked the protocol into paying out excessive rewards.

Flow of Funds

The above vulnerabilities allowed the attacker to bypass repayment checks, drain collateral, and claim unearned rewards, ultimately resulting in a loss of approximately $4.75M.

Post Exploit Scenes

Here is how M2 responded to the exploit in their official X account

How could they have prevented the Exploit?

  1. Validate all user inputs, such as _repayAmount in the swapDebtParaSwap function and the pair parameter in the claimReward function.
  2. Ensure borrowed amounts are checked against collateral and system rules to prevent manipulation of loan and reward mechanics.
  3. Avoid arbitrary contract calls and enforce restrictions on external contract addresses, especially in critical functions like claimReward.
  4. Collaborate with reputable auditors like QuillAudits to analyse smart contracts and identify vulnerabilities.

Why QuillAudits?

Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.

--

--

Coinmonks
Coinmonks

Published in Coinmonks

Coinmonks is a non-profit Crypto Educational Publication. Other Project — https://coincodecap.com/ & Email — gaurav@coincodecap.com

QuillAudits - Web3 Security 🛡️
QuillAudits - Web3 Security 🛡️

Written by QuillAudits - Web3 Security 🛡️

6+ Years Securing #Web3: 1M+ Lines Audited. Trusted by 1K+ Clients including StarkWare, Taiko, ZetaChain & Metis. Next-gen audits, KYC & on-chain monitoring.

No responses yet