A hacker has successfully exploited decentralized finance (DeFi) protocol Delta Prime, siphoning off $6 million through a sophisticated token minting exploit. Only DeltaPrime Blue (Arbitrum) was affected, while the Avalanche version remains secure.
The attack involved the minting of an extraordinarily high quantity of deposit receipt tokens, specifically Delta Prime USD (DPUSDC), which are designed to represent USDC stablecoins at a 1:1 redemption ratio.Â
The breach was facilitated by the hacker gaining access to a developer’s private key, enabling them to control an admin account. Utilizing this access, the attacker executed an "upgrade" function on the liquidity pool contracts.Â
This function, meant for legitimate software updates, was manipulated to redirect each proxy to a malicious contract crafted by the hacker. Consequently, this contract allowed for the mass minting of deposit receipt tokens, draining several liquidity pools.
Security expert Chaofan Shou has estimated total losses to be approximately $7 million, attributing the exploit to vulnerabilities within the protocol's upgradeable contracts.
Despite minting over 115 duovigintillion DPUSDC tokens, the attacker redeemed only $2.4 million in USDC.
Following this initial theft, the attacker extended the exploit to other tokens within the protocol. They minted over 1 duovigintillion Delta Prime Wrapped Bitcoin (DPBTCb) and 115 octodecillion Delta Prime Wrapped Ether (DPWETH), among others, ultimately redeeming over $1 million in Bitcoin (BTC), Ether (ETH), and Arbitrum (ARB) tokens.
In a statement on X, Delta Prime acknowledged the breach, confirming that $5.98 million had been drained from DeltaPrime Blue on Arbitrum.Â
The team emphasized that only this version was affected, with the Avalanche version remaining secure. Delta Prime also assured that their insurance would cover losses where feasible.
In July, Indian crypto exchange WazirX confirmed it had suffered a multisig wallet security breach after almost $235 million in assets were suspiciously transferred out of the platform and to a new address.