Key Takeaways:
- Prisma Finance suffered an $11.6 million loss from a security breach, with $540,000 still at risk due to unsecured accounts tied to a compromised contract.
- The breach involved two MigrateTroveZap contracts affecting user loans, exposing five accounts with the potential combined loss of over $500,000.
- The hacker demands a public apology and team disclosure for fund return, amidst Prisma’s recovery efforts including a proposal to cut liquidity from POL and vePRISMA revenue.
Prisma Finance, a decentralized borrowing protocol, is currently grappling with the aftermath of a significant security breach that resulted in an $11.6 million loss last week.
The protocol has disclosed that approximately $540,000 of funds are still vulnerable due to 14 accounts that have not yet rescinded a compromised smart contract.
This situation has escalated with demands from the purported ethical hacker responsible for the exploit, who is insisting on a public apology and the unveiling of the Prisma Finance team before considering the return of the stolen funds.
The focal point of the breach was identified in two MigrateTroveZap contracts designed for transitioning user positions between trove managers.
Despite efforts to address the exploit, a core contributor known as “Frank” emphasized the ongoing risk to five accounts with open trove positions, collectively at risk of losing over $500,000.
Prisma Finance utilizes “troves,” or Ethereum addresses, for users to manage loans.
The most vulnerable account is reported to hold $484,380, with the remaining four accounts holding between $7,120 and $22,080.
In response to this crisis, Prisma outlined a “path forward” that includes measures to safeguard additional reserves while striving to recoup the pilfered assets.
A proposal introduced on April 1 aims to diminish liquidity from POL and vePRISMA staked revenue as part of these recovery efforts.
In a bold move, the hacker, claiming to be a “white hat” ethical hacker, criticized Prisma Finance for their alleged lack of due diligence and has laid out specific conditions for the return of the funds.
These conditions include a public session where the Prisma team must fully disclose their identities, acknowledge their errors in auditing the smart contracts, and outline plans for enhanced security measures.
The hacker’s demands highlight a contentious debate over the responsibilities and ethics involved in the aftermath of the exploit.
As the dialogue between Prisma Finance and the hacker unfolds through on-chain messages, the community watches closely.
The hacker’s insistence on a public apology and acknowledgment of no wrongdoing on their part adds a layer of complexity to the situation.
Prisma’s retort underscores skepticism about the hacker’s intentions, noting the absence of any returned funds as a gesture of good faith.
The incident has had a profound impact on Prisma Finance, with its total value locked plummeting from approximately $220 million to $87 million.
Observations from blockchain security firms indicate that the hacker has begun converting the stolen assets to Ethereum, with a portion being transferred to the OFAC-sanctioned mixer Tornado Cash.
This ongoing saga not only sheds light on the vulnerabilities within DeFi platforms but also raises critical questions about accountability, security practices, and the path to restitution following such exploits.