Affine Protocol Exploit: A $88,000 Loss Due to Smart Contract Flaw

February 1, 2024

Summary #

Affine Protocol, a provider of cross-chain investment and savings solutions on the Ethereum Mainnet, suffered a significant exploit on February 1, 2024, resulting in a loss of $88,000. The incident was traced to a smart contract vulnerability involving insufficient user data validation. The attacker exploited a flash loan callback function in the strategy contract, manipulating it to liquidate its position and redirect funds. Affine Protocol deployed enhanced security protocols, including stricter access controls and rigorous validation processes for user inputs and transactions, and developed a remediation plan to compensate affected users.

Attackers #

The identity of the attacker is unknown.

Hacker Ethereum wallet:

0x09f6be2a7d0d2789f01ddfaf04d4eaa94efc0857

Losses #

Losses amounted to 38.93 ETH worth $88,000

Timeline #

February 1, 2024, 10:16 AM UTC: The first malicious transaction occurred.
February 1, 2024, 01:56 PM UTC: Affine Protocol sent on-chain message to the hacker offering a bounty of the stolen funds.
February 1, 2024, 03:02 PM UTC: Affine Protocol reported about the exploit.
February 13, 2024: Affine Protocol published exploit post-mortem and remediation plan.

Security Failure Causes #

Smart Contract Vulnerability: The incident’s root cause was the flawed validation processes within Affine’s smart contract.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam