On March 28th, Prisma Finance, a decentralized lending platform, experienced a flashloan attack that led to a significant loss of $12.6 million. The attack exploited a vulnerability within the smart contract code, particularly within the "MigrateTroveZap" contracts responsible for migrating user positions between different trove managers.
The attack exploited a discrepancy between the collateral designated for the original position and the new position during migration. This discrepancy enabled the attacker to gain profit throughl the difference in value. Roughly 90% of the funds, totaling 3,258.7841 ETH, were drained by the address "Exploiter," equating to approximately $11 million.
Incident Response
In response to this incident, Prisma Finance released a post-mortem reprort, stating:
“A vulnerability in both versions of the MigrateTroveZap (mkUSD and ULTRA) contract of Prisma Finance led to a loss of 3,257 ETH, or approximately $11 million USD.
In response, the Prisma Finance emergency multi-sig has paused the protocol's operations.”
Merkle Science’s Flow of Funds Analysis
The exploiter moved the stolen 3,258.7841 ETH to 3 intermediary addresses before transferring them to Tornado Cash.
However, as it turns out, this was actually a white hat hacker who later contacted Prisma Finance for negotiations.
As per the latest messages, the negotiations have still not reached a conclusion.
Mitigating smart contract vulnerabilities
Smart contracts, vital components of numerous blockchain systems, operate as self-executing agreements where terms are embedded directly into the code. However, they are susceptible to various vulnerabilities exploitable by malicious actors, resulting in financial losses, data breaches, and other adverse outcomes.
Consider these security measures while deploying smart contracts:
- Code Audits: Regularly review and audit smart contract code for vulnerabilities.
- Secure Development: Follow secure coding practices and established design patterns.
- Comprehensive Testing: Conduct thorough testing to identify vulnerabilities and simulate potential attack scenarios.
- Access Controls: Implement access controls and permission management to prevent unauthorized actions.