Stablecoin protocol Seneca has offered a 20% bounty to the exploiter who gained access to at least $6.4 million in digital assets after exploiting an approval mechanism bug in the protocol’s smart contract.
On Feb. 28, multiple blockchain security firms flagged the exploit on the stablecoin protocol. Companies like CertiK warned users about the exploit, urging them to revoke approvals from an address on the Ethereum and Arbitrum networks. Initial estimates of the losses were at $3 million, but it was later found that over 1,900 Ether (ETH), worth about $6.4 million, were taken from the exploit.
Security analysts at CertiK explained that the exploit happened due to a critical “call” vulnerability in the protocol’s smart contract. This vulnerability allowed the attacker to perform external calls to any address.
In addition, the project’s contracts did not have a code that could let the team do a “pause” on it. Because of this, users have to revoke permissions.
Related: Shido token plummets 94% as exploiter drains Ethereum staking contract
The Seneca team said that they are currently working with specialists to investigate what happened. The team also offered a $1.2 million bounty for the return of the stolen funds. In an on-chain message on Feb. 29, the Seneca team asked the hacker to return 80% of the stolen funds to an Ethereum address, allowing the hacker to keep 20%.
Within the message, the Seneca team said they are collaborating with security providers and law enforcement to trace the funds. The team urged the hacker to return the funds to avoid legal consequences. “Acting promptly is crucial, so we kindly request that you return the funds as soon as possible to avoid any further legal action,” they wrote.
Hours after the team’s message, the hacker was seen returning about 1,537 ETH, worth around $5.3 million, to the wallet address that the Seneca team specified. The exploiter kept 300 ETH, worth around $1 million, showing that the exploiter accepted the 20% bounty offered by the team. The exploiter then transferred the ETH to two different addresses.
Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks
