Steadefi Loses $1.14 Million to Deployer Address Compromise

Summary

Steadefi, a yield farming platform on Arbitrum and Avalanche, reported a loss of $1.14 million due to a compromised deployer address. The exploit allowed the attacker to assume control over the platform’s vault contracts, leading to the unauthorized borrowing of all available funds. The total value locked (TVL) in Steadefi dropped from over $2 million to almost $0 as a result. The funds were converted to approximately 625 ETH and landed in Tornado Cash. In response, Steadefi issued an on-chain bounty plea, offering the exploiter to return 90% of the funds while keeping the rest as a bounty.

Attackers

The identity of the attacker is unknown. The following addresses are associated with this attack:

Losses

Steadefi lost approximately $1,140,000 in total.

Timeline

  • August 7, 2023, 06:01 PM UTC: The first malicious transaction occurred.
  • August 7, 2023, 06:29 PM UTC: Steadefi team sent on-chain message to the hacker offering a bounty of 10% of the stolen funds.
  • August 7, 2023, 07:33 PM UTC: Steadefi team reported about the exploit.
  • August 7, 2023, 08:49 PM UTC: A brief overview of the incident from the team has been published
  • August 12, 2023, 08:27 AM UTC: Hacker began sending stolen funds to Tornado Cash.

Security Failure Causes

  • Private Key Compromise: The core vulnerability in this incident stemmed from the compromise of the deployer address, a critical security flaw that allowed the attacker to manipulate Steadefi’s smart contracts.