How AstraSec team prevented DeFi protocol from suffering $64m hack — and they won $65k for it
On July 23, DeFi liquidity protocol DeltaPrime lost $1 million to a hack but quickly acted to prevent further losses while also making affected users whole.
But the protocol’s funds worth $64 million in user deposits were still at risk.
That was until researchers at blockchain security outfit AstraSec discovered a major vulnerability in DeltaPrime’s smart contracts, similar to the one exploited by the July hackers.
AstraSec and fellow blockchain security firm PeckShield were working to help DeltaPrime safely resume operations following the hack, DeltaPrime cofounder Gavin Hasselbaink told DL News.
AstraSec co-founder Patrick Lou told DL News the team approached DeltaPrime following last month’s hack to offer its services.
“We took the initiative to look into the project base code deeper and found out this critical bug.” Lou sad.
AstraSec researchers on July 24 found a contract flaw that allowed a hacker to hijack ownership of the DeltaPrime protocol.
DeltaPrime holds user funds in so-called prime accounts. The protocol’s software maintains these prime accounts using smart contract logic, which maps each one to DeltaPrime’s main contract.
Under normal operating conditions, the protocol owner is the only entity that can control the main contract.
However, AstraSec found a bug that allowed a hacker to assume ownership of the protocol in a contract initially designed to help create new prime accounts.
Any hacker who managed to do so would have been able to steal both user and protocol funds.
That’s because the hackers could have used their control of the protocol to manipulate its internal controls and borrow funds from all DeltaPrime lending pools without posting the required collateral to pass built-in solvency checks.
“This is the first time we’ve come across this particular vulnerability,” Lou told DL News.
AstraSec’s co-founder said the team reported the issue to DeltaPrime and the problem was resolved quickly.
“For AstraSec’s contribution they received a bounty, adjusted for the circumstances in which it was found,” Hasselbaink said.
Lou’s team received a $65,000 bounty for discovering the critical vulnerability, according to details on the crypto bug bounty dashboard HackenProof.
Lou said the team was satisfied with the payout.
Crypto investors lost $1.4 billion to hacks and exploits in the year’s first half, more than double the $657 million recorded in the same period in 2023.
Most of those hacks were unauthorised access control where attackers hijacked wallets of crypto entities to syphon funds.
Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. To share tips or information about stories, please contact him at [email protected].