Seneca Protocol Hacker Returns 80% of Stolen Funds After Exploiting Approval Mechanism Bug

Seneca Protocol hacker returns $5.3 million worth of Ether tokens after exploiting an approval mechanism bug. Vulnerability stemmed from a function lacking input validation. Seneca confirms 80% funds returned.

The hacker behind the Seneca Protocol breach has returned a substantial portion of the stolen funds, amounting to $5.3 million worth of Ether tokens. This comes after the hacker initially siphoned $6.4 million from both the Ethereum and Arbitrum networks. Investigations into the incident revealed that the exploit took advantage of a bug in the protocol's smart contract approval mechanism.

Recently, the stablecoin protocol announced its cooperation with law enforcement but also offered a lenient approach. They stated that legal action would not be pursued if the hacker returned 80% of the funds, with the remaining 20% serving as a reward.

Hacker Returns Majority of Stolen Funds

The vulnerability in the Seneca protocol stemmed from a flaw within the 'performOperations' function of its smart contract code. This function, which permitted external calls, lacked proper validation for inputs.

The absence of input validation represents a significant oversight in smart contract development. Exploiting this flaw, the attacker manipulated specific data to trigger conditions, allowing them to invoke any contract on the blockchain with arbitrary data.

This capability provided the attacker with unrestricted access to interact with other contracts, posing as vulnerable ones. Consequently, the attacker proceeded to transfer assets from addresses authorized to the compromised contracts.

Daniel Von Fange, a crypto security researcher, reportedly discovered the flaw but was purportedly removed from the project's Discord server, where mentions of the exploit were being erased by the team.

According to the latest update from Peck Shield, the exploiter transferred 1,537 Ethereum to a Seneca address, the primary address associated with the exploit. The hacker retained 300 ETH, valued at approximately $1 million, and received the 20% reward offered by Seneca. Subsequently, they transferred the ETH to two separate addresses.

Seneca Protocol experienced a significant breach on February 28th, resulting in an 80% decline in its native token SEN within a single day. Initially estimated losses amounted to around 3 million, but further investigation revealed that over 1,900 Ether, valued at around $6.4 million, were stolen.

Following the breach, Seneca issued a statement confirming collaboration with experts to investigate the exploit. Additionally, the protocol announced a $1.2 million reward for the recovery of the stolen funds.

Seneca's Confirmation of Returns

In an official update on Wednesday, Seneca confirmed that 80% of the funds have been successfully returned. They clarified that the exploit primarily targeted assets held in users' wallets, emphasizing that Seneca's own funds remained unaffected.

Instead, the exploit focused on external user assets within the Seneca ecosystem.

"The Chamber code deployed is the exact same as that which underwent the audit, except for fixes explicitly suggested by the auditing company and implemented in the precise ways indicated. An audit is in no way a guarantee of absolute safety, but it's worth noting that Seneca chose to work with a major auditing company for the very purpose of securing the Chamber contract."