Delta Prime, a decentralized finance (DeFi) protocol, has suffered a massive security breach, resulting in the theft of approximately $6 million. The attacker exploited a vulnerability by creating an enormous number of deposit receipt tokens.
The incident, revealed through Arbiscan data, shows that the hacker minted over 115 duovigintillion (1.1 x 10^69) Delta Prime USD (DPUSDC) tokens.
Despite the overwhelming number of tokens created, the attacker only redeemed $2.4 million worth of them.
In addition to DPUSDC, the attacker minted similarly astronomical amounts of Delta Prime Wrapped Bitcoin (DPBTCb), Delta Prime Wrapped Ether (DPWETH), and Delta Prime Arbitrum (DPARB).
They managed to redeem a fraction of these tokens, extracting more than $1 million in various cryptocurrencies including Bitcoin, Ether, and Arbitrum.
Blockchain security expert Chaofan Shou has estimated the total theft to be around $6 million.
The breach was made possible when the attacker gained control of an admin account and manipulated upgrade functions in the protocol’s liquidity pool contracts.
This allowed them to redirect the contracts to malicious code that facilitated the minting of an unbounded number of deposit receipts.
Delta Prime acknowledged the attack on social media, confirming the loss of $5.98 million.
They assured users that the Avalanche version of the protocol is unaffected and that insurance measures are in place to cover potential losses. This incident highlights the risks associated with upgradeable smart contracts in DeFi. While the ability to update contracts can help fix bugs, it also introduces centralization risks that can be exploited by attackers.