Exactly Protocol, a decentralized credit market operating on the Optimism network, has fallen victim to a bridge exploit resulting in a potential loss of over $ 7 million. This incident adds to a growing list of attacks targeting cross-chain bridges within the crypto space.
The breach came to light when blockchain security firm Peckshield flagged the exploit, alerting Exactly to the breach. Following this, Exactly took immediate action, launching an investigation into the incident and temporarily halting its protocol. Users, however, can still withdraw their assets during this period.
Web3 security firm De.Fi conducted an independent investigation into the exploit and revealed the presence of two exploiter contracts. De.Fi initially suspected that the hackers had swiped roughly 7,160 ETH, valued at over $12 million, though later confirmed that the contracts managed to siphon off a substantial 4,323.6 ETH—or $7.2 million worth.
The attackers employed a strategy involving the creation of an exploiter contract on Ethereum. Deposits were initially routed to the Optimism network and then redirected back to Ethereum through a bridging mechanism.
The exploiter contracts executed three transactions, transferring sizable amounts of 910 ETH, 226,731 USDC, and 2,643,414 USDC. Additionally, De.Fi's investigation uncovered further transactions, some involving the bridging of 1,500 ETH using the Across Protocol.
In the aftermath of the breach, Exactly's native token, EXA, experienced a significant decline of more than 30%, dropping from $6.43 to its current value of $4.44 at the time of writing.
Since then, Exactly’s team has reached out to the hacker in the hopes of discussing how to move forward.
Other Hacks of 2023 So Far
Unfortunately, Exactly's ordeal is not an isolated incident. The crypto space has witnessed a series of exploits in recent months. In June, Atomic Wallet suffered a hack allegedly orchestrated by North Korea's Lazarus Group, resulting in a reported $35 million loss. Then, Multichain protocol faced a devastating attack in July, leading to a loss of $126 million, with nearly $120 million originating from the Fantom bridge. Notably, the Multichain incident also highlighted the mysterious disappearance of the protocol's CEO, who was allegedly arrested by the Chinese police, leaving the community and investors in a state of uncertainty. The cross-chain protocol then announced later in July that it was “forced to cease operations” due to a lack of “alternative sources of information and corresponding operational funds”.
In another notable hack for July, Curve Finance, a DeFi protocol, suffered a loss exceeding $47 million due to a re-entrancy vulnerability traced back to Vyper, a programming language designed for the Ethereum Virtual Machine. The vulnerability allowed the attacker to manipulate the protocol's smart contracts and drain funds.
However, the Curve Finance incident went on to take an unexpected turn when, in a unique move, the protocol's team decided to engage with the hacker. Rather than pursuing a legal battle, Curve Finance opted to negotiate with the attacker and offered a substantial bounty to return the stolen funds. This unconventional approach ultimately led to the recovery of the majority of the stolen assets, and serves as a testament to the evolving dynamics of hacking within the crypto space. Hopefully, Exactly's decision to contact the hacker will result in a similar scenario for the protocol.
These incidents underscore the challenges and vulnerabilities present within the crypto lending sector and the broader DeFi ecosystem. As attacks continue to exploit weaknesses, the need for improved security measures will remain paramount. However, the question of whether these hacks can ever truly be stopped remains.