Decentralized finance (DeFi) protocol Blueberry has managed to pause its protocol after a mad dash to limit potential damage from an “ongoing exploit” on Friday.
In a Feb. 23 post on X, the Blueberry Protocol Foundation reported that it was suffering an “ongoing exploit” and advised users to withdraw their funds from Blueberry lending markets as it worked on “pausing the protocol as quickly as possible.”
Adding to the chaos, users reported having issues withdrawing, with Blueberry noting that the front end was also down.
“The front end is also down, so if you are able to interact directly with the contracts to withdraw, please do.”
The website and app went offline briefly with the following application error: “A client-side exception has occurred.”
Around 30 minutes later, Blueberry confirmed it had been able to pause the protocol, while the website appears to be back up and running.
“Funds currently deposited are no longer exploitable and we will update as we have more information.”
UPDATE: The protocol has been paused. Funds currently deposited are no longer exploitable and we will update as we have more information https://t.co/otsa1WZMEj
— Blueberry Protocol Foundation (@blueberryFDN) February 23, 2024
Another update was later added by Blueberry, stating that all of the drained funds have been front-run by c0ffeebabe.eth and are now safe in the Blueberry multisig.
“The team is in contact with security and comms professionals and will attempt to contact the validator to return the remaining 91 ETH.”
A total of 457 Ether (ETH) was initially drained, but 366 ETH was rescued by the so-called white hat and returned to the multisignature wallet. The protocol team reiterated:
“Deposited funds are currently safe. Only three markets were affected and the large majority was already returned. Total validator payment (loss) is 91 ETH. We are getting in touch and aim for a full repayment to users as the goal. Protocol is paused.”
To quickly reiterate:
— Blueberry Protocol Foundation (@blueberryFDN) February 23, 2024
Deposited funds are currently safe. Only three markets were affected and the large majority was already returned.
Total validator payment (loss) is 91 ETH. We are getting in touch and aim for a full repayment to users as the goal. Protocol is paused. https://t.co/uaQKwS9Iik
Related: Ethical hacker retrieves $5.4M for Curve Finance amid exploit
Blueberry protocol is a decentralized lending market that enables lending and leveraged borrowing up to 20x of the collateral value.
According to DefiLlama, it had a total value locked (TVL) of $4.5 million and was forked from the Compound DeFi protocol. The TVL had fallen to $3.15 million after the exploit attempt.
C0ffeebabe shot to fame when she took around 2,879 ETH, worth around $5.4 million, from an exploiter and returned it to the DeFi protocol Curve Finance amid its hack in July 2023.
Ironically, Blueberry posted a “security overview” on Feb. 22 claiming that it “starts with a security-first approach to development and risk mitigation to prevent any internal risk brought on by protocol activity.”
It also claims to have been audited by Hacken and Sherlock and claims to have carried out two independent token security audits; however, the tweet promoting the “security review” has disappeared from Blueberry’s X feed.
Should crypto projects ever negotiate with hackers? Probably
