- Attacker leveraged an upgrade feature in Delta Prime to create vast amounts of tokens.
- Assets worth over $6 million, including Bitcoin, Ether, and various stablecoins, were stolen.
- This incident highlights the vulnerabilities of upgradable contracts in decentralized finance.
Delta Prime, a DeFi platform based on the Arbitrum network, has recently experienced a substantial cyber breach where a hacker exploited a flaw in the token minting mechanism, draining more than $6 million from its liquidity pools.
The attack initiated when the hacker took over Delta Prime’s administrator account, presumably through the theft of the developer’s private key.
Chronology of the Delta Prime hack
With access to the administrator wallet, the hacker manipulated the upgrade function to alter several liquidity pool contracts. These contracts were associated with proxy addresses, which are designed to enable developers to apply software updates.
However, rather than implementing legitimate updates, the attacker redirected the contracts to harmful versions that permitted the creation of unrestricted quantities of tokens.
According to blockchain data from Arbiscan, the hacker initially minted an unimaginable amount of over 115 duovigintillion Delta Prime USD (DPUSDC) tokens, a figure equivalent to 1.1*10^69 in scientific notation.
DPUSDC acts as a deposit receipt token for the USDC stablecoin, designed for redemption at a 1:1 ratio.
Although they minted an enormous total of DPUSDC, the hacker only redeemed $2.4 million worth of USDC.
The same exploitation method was utilized on other deposit receipt tokens like Delta Prime Wrapped Bitcoin (DPBTCb), Delta Prime Wrapped Ether (DPWETH), and Delta Prime Arbitrum (DPARB). The attacker generated vast quantities of these tokens and redeemed just a small proportion, ultimately stealing over $6 million in various assets, including Bitcoin, Ether, Arbitrum, and USDC.
Cyvers, an on-chain security firm, was among the first to alert the community about the attack, indicating initial losses of $4.5 million before they quickly rose as the hacker continued to siphon funds.
🚨ALERT🚨@DeltaPrimeDefi has encountered a security breach involving their admin keys.
The attacker gained control of the private key of 0x40e4ff9e018462ce71fa34abdfa27b8c5e2b1afb
and subsequently upgraded the proxy!Currently, $5.93M has been drained!
Want to safeguard your company from our alerts? Discover more… https://t.co/yOmNZJyp5l pic.twitter.com/lztFvXVmfI
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) September 16, 2024
Blockchain security expert Chaofan Shou later confirmed the total losses amounted to approximately $6 million.
Delta Prime @DeltaPrimeDefi admin private key has been compromised. All liquidity pools are drained, leading to a loss of $7M so far. Withdraw funds immediately!https://t.co/uNn5nZoHp3 pic.twitter.com/se3RebRjpX
— Chaofan Shou (@shoucccc) September 16, 2024
This incident highlights the dangers associated with upgradable contracts within the DeFi space. While such contracts enable developers to rectify post-launch issues, they also present centralization risks if an administrative account is compromised, as demonstrated in the Delta Prime incident.
The Delta Prime attack is part of a wider pattern of high-profile breaches in DeFi, with industry experts cautioning that future threats may target larger entities, including Bitcoin exchange-traded funds (ETFs) that manage billions in digital assets.
