Distributed Networks Institute
Exactly Protocol Bridge Suffers $7.6 Million Security Breach
Summary
Exactly Protocol on Optimism faced a critical security breach on August 18, resulting in a loss of around $7.6 million. The attackers exploited a vulnerability by manipulating market address inputs, allowing them to bypass key security checks within the protocol. This manipulation granted them unauthorized access to execute a deposit function maliciously, leading to the theft of a substantial amount of USDC from users.
Attackers
The identity of the hackers who attacked Multichain is unknown.
Hacker Optimism Wallets:
- 0x3747dbbcb5c07786a4c59883e473a2e38f571af9
- 0xe4f34a72d7c18b6f666d6ca53fbc3790bc9da042
- 0x417179df13ba3ed138b0a58eaa0c3813430a20e0
Losses
Exactly Protocol estimated the losses from the hack to be $7.6 million. Stollen assets included:
- 5,037,975 USDC
- 1,535 ETH (2,535,820 USD)
- 13,912 OP (21980 USD)
- 8.45 wstETH (16,139 USD)
Timeline
- August 18, 2023, 09:11:33 AM +UTC: The first malicious transaction occurred.
- August 18, 2023, 07:10 PM +UTC: Exactly Protocol reported a security breach and suspended operations.
- August 18, 2023, 08:33:59 PM +UTC: Exactly Protocol team communicated with the hacker, proposing a deal to recover the stolen assets in exchange for a 10% reward, alongside a promise of no legal action.
- August 20, 2023, 11:50 PM +UTC: Exactly Protocol announced the resumption of work.
- August 30, 2023: Exactly Protocol published exploit Post-Mortem.
Security Failure Causes
- Smart Contract Vulnerability: The attack was facilitated by exploiting a smart contract vulnerability that allowed for the manipulation of market address inputs, effectively bypassing the protocol’s critical security checks.