Exactly Protocol Bridge Suffers $7.6 Million Security Breach

August 18, 2023

Summary #

Exactly Protocol on Optimism faced a critical security breach on August 18, resulting in a loss of around $7.6 million. The attackers exploited a vulnerability by manipulating market address inputs, allowing them to bypass key security checks within the protocol. This manipulation granted them unauthorized access to execute a deposit function maliciously, leading to the theft of a substantial amount of USDC from users.

Attackers #

The identity of the hackers who attacked Multichain is unknown.

Hacker Optimism Wallets:

Losses #

Exactly Protocol estimated the losses from the hack to be $7.6 million. Stollen assets included:

5,037,975 USDC
1,535 ETH (2,535,820 USD)
13,912 OP (21980 USD)
8.45 wstETH (16,139 USD)

Timeline #

August 18, 2023, 09:11:33 AM +UTC: The first malicious transaction occurred.
August 18, 2023, 07:10 PM +UTC: Exactly Protocol reported a security breach and suspended operations.
August 18, 2023, 08:33:59 PM +UTC: Exactly Protocol team communicated with the hacker, proposing a deal to recover the stolen assets in exchange for a 10% reward, alongside a promise of no legal action.
August 20, 2023, 11:50 PM +UTC: Exactly Protocol announced the resumption of work.
August 30, 2023: Exactly Protocol published exploit Post-Mortem.

Security Failure Causes #

Smart Contract Vulnerability: The attack was facilitated by exploiting a smart contract vulnerability that allowed for the manipulation of market address inputs, effectively bypassing the protocol’s critical security checks.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam