Delta Prime Attacker Steals $6M by Minting Massive Number of Tokens
Exploit Overview
A hacker has managed to drain over $6 million from the decentralized finance (DeFi) protocol Delta Prime. The attacker accomplished this by minting an arbitrarily large number of deposit receipt tokens. According to data from block explorer Arbiscan, the hacker minted over 115 duovigintillion Delta Prime USD (DPUSDC) tokens in the initial attack. This figure translates to more than 1.1*10^69 in scientific notation.
Mechanics of the Attack
DPUSDC is a deposit receipt for USDC stablecoin held at Delta Prime. It is intended to be redeemable at a 1:1 ratio for USDC. Despite minting such a large number of USDC deposit receipts, the attacker only burned 2.4 million of them, receiving $2.4 million in USDC stablecoin in exchange. The attacker repeated these steps for other deposit receipt tokens, minting over 1 duovigintillion Delta Prime Wrapped Bitcoin (DPBTCb), 115 octodecillion Delta Prime Wrapped Ether (DPWETH), and 115 octodecillion Delta Prime Arbitrum (DPARB), among others. Ultimately, the attacker redeemed a tiny fraction of the amount minted to receive over $1 million in Bitcoin (BTC), Ether (ETH), Arbitrum (ARB), and other tokens.
Method of Gaining Control
According to blockchain security specialist Chaofan Shou, the attacker stole an estimated $6 million in funds. The hacker was able to mint these deposit receipt tokens by first gaining control of an admin account ending in b1afb. This was likely accomplished by stealing the developer’s private key. Using this account, they called an “upgrade” function on each of the protocol’s liquidity pool contracts.
These functions are typically used for software upgrades and allow the developer to change the code in a contract by having its proxy point to a different implementation address. However, the attacker used these functions to point each proxy to a malicious contract that they had created, which allowed them to mint an arbitrarily large number of deposit receipts and drain each pool of funds.
Response from Delta Prime
Delta Prime acknowledged the attack in a post, stating that “At 6:14 AM CET DeltaPrime Blue (Arbitrum) was attacked and drained for $5.98M.” The protocol claimed that the Avalanche version, DeltaPrime Blue, is not vulnerable to the attack and stated that their insurance “will cover any potential losses where possible/necessary.”
Risks of Upgradeable Contracts
The Delta Prime attack illustrates the risk of DeFi protocols using upgradeable contracts. The Web3 ecosystem is designed to prevent private key hacks from exploiting entire protocols. Theoretically, an attacker should need to steal the private keys of every user to drain the entire protocol. However, when contracts are upgradable, it introduces an element of centralization risk, which can lead to an entire user base losing its funds.
Even so, some protocols believe that giving up the ability to upgrade may be worse than its alternative, as it may prevent a developer from fixing bugs found after deployment. Web3 developers continue to debate when protocols should and should not allow upgrades.
Recent Smart Contract Exploits
Smart contract exploits continue to pose a risk to Web3 users. On Sept. 11, an attacker drained over $1.4 million from a CUT token liquidity pool using an obscure line of code that pointed to an unverified function on a separate contract. On Sept. 3, over $27 million was drained from the Penpie protocol after the attacker successfully registered their own malicious contract as a token market.
