<img src="https://secure.glue1lazy.com/215876.png" style="display:none;">

Hack Track: Steadefi Flow of Funds Analysis

On August 7th, 2023, Steadefi, a sophisticated yield aggregator, fell victim to an assault that resulted in a substantial loss of over $1.14 million.

What is Steadefi?

Steadefi functions as a yield aggregator, empowering users to generate earnings through methodical approaches such as intelligent hedging strategies and automated risk oversight. This is achieved by vigilant monitoring and the seamless rebalancing of vaults.

Steadefi’s Response



The protocol promptly utilized Twitter to apprise its users regarding the incident and caution them about the stolen funds. Additionally, they extended a bounty stating:

Steadefi would like to discuss a bounty with any parties who were involved in the recent Steadefi exploit. We are offering a 10% bounty of any funds stolen, which are yours to keep if you return the remaining 90%.’

As reported by Steadefi, the wallet responsible for deploying the protocol—simultaneously functioning as the proprietor of all vaults within the system—fell victim to compromise. 

Subsequently, the assailant assumed ownership of each vault, effecting a transfer to a wallet under their control.

In the wake of this takeover, the attacker proceeded to execute a series of actions designated exclusively for the owner's purview. This included granting universal borrowing access from the lending vaults to any wallet. 

Presently, the exploiter has exhausted the lending capacity on both the Arbitrum and Avalanche platforms. The assets have been converted to ETH and subsequently migrated to the Ethereum blockchain through a bridging mechanism.


Announcement by Steadefi

Merkle Science’s Flow of Funds Analysis

Summary of the Hack

  • The attacker managed to gain access to Steadefi’s deployer wallet
  • Acquired multiple tokens including USDC, wBTC, wETH, AVAX, ARB, BTC.b, and USDT
  • The attacker used a cross-chain bridge service to permeate L2 to L1


  • As disclosed by the protocol, the assailant managed to breach Steadefi’s deployer wallet, facilitating the diversion of funds to a self-controlled address across both the Avalanche and Arbitrum L2 chains. 
  • Among the acquired funds were a variety of tokens including USDC, USDT, BTC.b, wBTC, wETH, ARB, and AVAX.
  • Subsequently, a series of transactions unfolded on both the Avalanche and Arbitrum, where the aforementioned tokens underwent exchanges, and were swapped for approximately 624 ETH (440 ETH on Arbitrum and 184 ETH on Avalanche).
  • The perpetrator then proceeded to transfer these accrued 624 ETH across to the Ethereum blockchain, using a cross-chain bridge service
  • At the time of writing, no funds have moved from the attacker’s address on the Ethereum blockchain.


Merkle Science’s blockchain forensics visualization tool ‘Tracker’ depicts the flow of funds

The Growing Role of L2 Chains in DeFi Exploits

Layer 2 (L2) chains in the context of blockchain technology typically refer to solutions that are built on top of existing blockchain platforms (often referred to as Layer 1 chains) to enhance scalability and reduce transaction costs. While L2 solutions can provide significant benefits, they also introduce certain complexities and potential vulnerabilities that can make them more prone to exploits compared to traditional Layer 1 chains. Here are a few reasons why L2 chains might be more susceptible to exploits:

  • Interoperability with Layer 1 Chains: L2 solutions often rely on interactions with the underlying Layer 1 chain for security and finality. If there are vulnerabilities or attacks on the Layer 1 chain, they can potentially impact the security of L2 solutions that depend on it.
  • Complexity: L2 solutions can introduce additional layers of complexity, including various protocols, mechanisms for transferring assets between Layer 1 and Layer 2, and consensus mechanisms. This increased complexity can provide more attack vectors for malicious actors to exploit.
  • Smart Contract Dependencies: Many L2 solutions are built to support smart contracts, and these smart contracts might have dependencies on both Layer 1 and Layer 2 components. If vulnerabilities exist in any of these layers, they could be exploited to compromise the overall security of the L2 solution.
  • Decentralization and Security: Some L2 solutions might not have the same level of decentralization and security as the underlying Layer 1 chains. This could make them more susceptible to various types of attacks, as a smaller number of validators or participants might be easier to compromise or collude with.
  • Rapid Development and Updates: The fast-paced development and frequent updates of L2 solutions can sometimes lead to oversight of potential vulnerabilities. Rapid changes might not undergo thorough security audits, leaving room for exploitable weaknesses.
  • New and Experimental Technology: L2 solutions often involve new and experimental technologies, which might not have undergone extensive real-world testing. As a result, undiscovered vulnerabilities could be present in the software or protocols.
  • User Error and Misunderstanding: L2 solutions might require users to interact with different interfaces and manage assets across different layers. This introduces the risk of user error, such as sending assets to the wrong addresses or making incorrect transactions due to misunderstandings of the complex mechanisms involved.

It's important to note that while L2 chains have these potential vulnerabilities, many projects and teams actively work to address and mitigate these risks. Thorough security audits, continuous monitoring, and prompt responses to identified vulnerabilities are essential to maintaining the integrity and security of L2 solutions. Users should exercise caution, conduct due diligence, and stay informed about the security practices of the L2 solutions they use or invest in.