A bug in crypto lending platform Seneca Protocol was exploited on Wednesday to steal funds directly from users’ wallets. Losses so far exceed $3 million on the Ethereum and Arbitrum networks.
Seneca is a decentralized finance (DeFi) project that allows users to borrow the stablecoin senUSD against yield-bearing assets such as deposit tokens and liquid staking tokens (LSTs).
The suspicious transactions were brought to the attention of the crypto community by pseudonymous X (formerly Twitter) user Spreek.
Read more: Ethereum liquid staking braces for April 12 withdrawals
Istraživač kripto sigurnosti Daniel Von Fange identificirani the bug in Seneca’s code, adding that he was removed from the project’s Discord where the team was deleting references to the exploit.
Another user, going by ‘cawfree’ on X, potraživanja to have warned the project of this exact issue in November, before being blocked by Seneca. An audit contest was also napušten in November, five days before launch.
Prema sigurnosnoj tvrtki Peckshield, the contracts in question are unable to be paused, leaving the users themselves responsible for revoking token approvals to the affected addresses.
What are token approvals?
Unlike regular users’ Ethereum addresses, smart contract addresses are unable to initiate transfers on their own.
This means that any user wishing to swap tokens via a decentralized exchange (DEX) or deposit funds into certain DeFi platforms must first grant approval to the contract in charge of these operations. This allows the contract to spend tokens directly out of the user’s wallet, up to a defined limit.
However, clunky user interfaces, high gas fees, and repeat visits mean that many users tend to opt for granting unlimited approvals rather than going through the process for each interaction.
As today shows, this situation is ripe for exploitation by hackers who manage to manipulate contracts into sending any pre-approved tokens from users’ wallets directly to the hackers themselves.
In one particularly costly incident, Badger DAO users (including disgraced crypto lender Celsius) lost $120 million when the platform’s website was hacked to ‘harvest’ token approvals from users over a period of 12 days.
Pročitajte više: Mashinskyi su koristili Celsius za promociju Strong blockchaina — i to ipak nije uspjelo
A proposed solution to the standard token approval mechanism, used by leading DEX Uniswap, relies on permit2 signatures to handle approvals. However, permit2 isn’t without its drawbacks, as the added complexity make it difficult for users to understand what they are signing.
Phishing scammers are able to take advantage of this fact to ukrasti crypto, even from those who attempt to revoke their approvals.
Imate savjet? Pošaljite nam e-mail ili ProtonMail. Za više informacija, pratite nas X, Instagram, Plavo neboi Google vijesti, ili se pretplatite na naš YouTube kanal.
Source: https://protos.com/seneca-protocol-hack-highlights-dangers-of-ethereums-token-approval-mechanism/