Exactly Protocol Bridge Suffers $7.6 Million Security Breach

Summary

Exactly Protocol on Optimism faced a critical security breach on August 18, resulting in a loss of around $7.6 million. The attackers exploited a vulnerability by manipulating market address inputs, allowing them to bypass key security checks within the protocol. This manipulation granted them unauthorized access to execute a deposit function maliciously, leading to the theft of a substantial amount of USDC from users.

Attackers

The identity of the hackers who attacked Multichain is unknown.

Hacker Optimism Wallets:

Losses

Exactly Protocol estimated the losses from the hack to be $7.6 million. Stollen assets included:

  • 5,037,975 USDC
  • 1,535 ETH (2,535,820 USD)
  • 13,912 OP (21980 USD)
  • 8.45 wstETH (16,139 USD)

Timeline

  • August 18, 2023, 09:11:33 AM +UTC: The first malicious transaction occurred.
  • August 18, 2023, 07:10 PM +UTC: Exactly Protocol reported a security breach and suspended operations.
  • August 18, 2023, 08:33:59 PM +UTC: Exactly Protocol team communicated with the hacker, proposing a deal to recover the stolen assets in exchange for a 10% reward, alongside a promise of no legal action.
  • August 20, 2023, 11:50 PM +UTC: Exactly Protocol announced the resumption of work.
  • August 30, 2023: Exactly Protocol published exploit Post-Mortem.

Security Failure Causes

  • Smart Contract Vulnerability: The attack was facilitated by exploiting a smart contract vulnerability that allowed for the manipulation of market address inputs, effectively bypassing the protocol’s critical security checks.