A hacker was able to withdraw over $6 million from the decentralized finance (DeFi) protocol Delta Prime by minting an arbitrarily large number of deposit receipt tokens.
According to blockchain explorer Arbiscan, the attacker minted over 115 duovigintillion Delta Prime USD tokens (DPUSDC) in the initial attack, which is over 1.1*10^69 in scientific notation.
DPUSDC is a deposit receipt for the USDC stablecoin stored in Delta Prime. It is supposed to be exchangeable for USDC at a 1:1 ratio.
Despite issuing such a huge number of receipts, the attacker only burned 2.4 million of them, receiving $2.4 million in USDC stablecoin in return.
He then repeated this action with other receipts, issuing over 1 duovigintillion Delta Prime Wrapped Bitcoin (DPBTCb), 115 octodecillion Delta Prime Wrapped Ether (DPWETH), 115 octodecillion Delta Prime Arbitrum (DPARB), and many other deposit receipts. He ultimately cashed out a small portion of what was issued, receiving over $1 million in Bitcoin, Ethereum, Arbitrum tokens, and other assets.
According to blockchain security researcher Chaofan Shou, the attacker stole around $6 million. He was able to issue these deposit slips by gaining control of an admin account, which was likely compromised by stealing a developer’s private key. Using this account, he called the “update” function on each of the protocol’s liquidity contracts.
These functions are typically used to update software. They allow a developer to change the contract code to point to a different implementation address.
However, the attacker used these functions to point each proxy to a malicious contract he had created. Each of these contracts allowed him to issue an arbitrarily large number of slips, essentially draining all of the pools.
Delta Prime acknowledged the attack in a post on X, stating, “At 6:14 CET, DeltaPrime Blue (Arbitrum) was attacked and $5.98 million was stolen.”
They also noted that the version on Avalanche, DeltaPrime Blue, is not vulnerable to the attack. The protocol said its insurance will “cover any potential losses if necessary.”
The attack on Delta Prime highlights the risks of using DeFi protocols with contract upgrades.
The Web3 ecosystem is designed to prevent private key thefts that could lead to exploitation of the entire protocol.
In theory, an attacker would need to steal every user’s private key to withdraw all funds. However, contract upgrades introduce an element of centralization risk that could lead to the loss of funds from the entire user base.
However, some protocols believe that not allowing upgrades could be even worse, as it could prevent a developer from fixing bugs discovered after deployment. Web3 developers continue to debate when protocols should and should not allow upgrades.
Smart contract exploitation remains a risk for Web3 users. On September 11, an attacker withdrew over $1.4 million from the CUT token liquidity pool using an obscure line of code referencing an unverified function in another contract.
On September 3, an attacker withdrew over $27 million from the Penpie protocol by registering their malicious contract as a token marketplace.