In a concerning trend for the decentralized finance, or DeFi space, two prominent protocols – Exactly and Harbor – have fallen victim to separate attacks. These incidents, the latest in a string of recent exploits, have highlighted the vulnerabilities that can arise within the relatively new and experimental world of DeFi.
Exactly, a credit market operating on the Optimism network, clearly did not see it coming. The attack, first uncovered by blockchain security firm DeDotFi, involved hackers exploiting a weakness in Exactly’s smart contracts. Security firm PeckShield said on X (formerly Twitter) that it had “detected an ongoing attack.”
Update: After a thorough review of the Exactly Protocol Hack, we have concluded that the total of stolen amount up to date is ~$7.2M (4323.6 $ETH)
— De.Fi Web3 Antivirus (@DeDotFiSecurity) August 18, 2023
DeFi Under Attack
The attackers managed to siphon off approximately 4,323.6 Ether (ETH), valued at around $7.3 million at the time of the breach. To execute their scheme, the attackers utilized the Across Protocol to cart away with 1,490 ETH and the Optimism Bridge for 2,832.92 ETH, transferring stolen assets to the Ethereum network.
Hi @exactlyprotocol, we have detected an ongoing attack. Users are strongly suggested to take necessary actions.
Here is the encrypted hash: 20bae0a96e90d5590a98bc81a16c2b1e8e96eba8248f266c244870d18232b258. Actual hash will be released once the situation is stable.
— PeckShield Inc. (@peckshield) August 18, 2023
Meanwhile, DeFi protocol Harbor also fell victim to a hack on the same day. The interchain stablecoin protocol confirmed the breach, revealing losses from its stable-mint as well as its vaults containing stOSMO, LUNA, and WMATIC.
Although the exact amount of assets stolen remains unclear, Harbor is actively engaged in tracing the funds and gauging the extent of the damages.
1/ Dear Harbor Community,
It has come to our notice that Harbor protocol has been exploited over the past few hours, resulting in a drain on a portion of the funds sitting in the stable-mint and stOSMO, LUNA and WMATIC vaults.
— Harbor Protocol (@Harbor_Protocol) August 19, 2023
No Let-Up From Hackers
Exactly’s vulnerability was related to the DebtManager periphery contract, as attackers used a malicious market contract address to bypass permit checks and execute a malevolent deposit function.
The exact motive behind these attacks is yet to be ascertained, but it’s evident that the immense liquidity available within bridge protocols like Exactly and Harbor presents an appealing target for hackers.
Robust Safety Nets A Must
This recent wave of DeFi breaches is part of a series of security incidents that have plagued the ecosystem. In July, a vulnerability in the Vyper programming language resulted in a staggering theft of more than $61 million from the stable pools on Curve Finance.
Other protocols such as Earn.Finance and Zunami Protocol also suffered losses, further highlighting the challenges and risks associated with this evolving landscape.
As DeFi protocols continue to innovate, these incidents serve as a stark reminder of the need for robust security measures and thorough testing before deploying new solutions.
Featured image from EC-Council