Key Takeaways:
- Prisma Finance suffered an $11.6 million loss from a security breach, with $540,000 still at risk due to unsecured accounts tied to a compromised contract.
- The breach involved two MigrateTroveZap contracts affecting user loans, exposing five accounts with the potential combined loss of over $500,000.
- The hacker demands a public apology and team disclosure for fund return, amidst Prisma’s recovery efforts including a proposal to cut liquidity from POL and vePRISMA revenue.
Prisma Finance, a decentralized borrowing protocol, is currently grappling with the aftermath of a significant security breach that resulted in an $11.6 million loss last week.
The protocol has disclosed that approximately $540,000 of funds are still vulnerable due to 14 accounts that have not yet rescinded a compromised smart contract.
Prisma Finance addresses the recent security breach of $11.6 million with a recovery strategy and measures aimed at protecting $540,000 in user funds still vulnerable. #DeFi https://t.co/PL83YCDc3A
— Cryptonews.com (@cryptonews) April 1, 2024
This situation has escalated with demands from the purported ethical hacker responsible for the exploit, who is insisting on a public apology and the unveiling of the Prisma Finance team before considering the return of the stolen funds.
The focal point of the breach was identified in two MigrateTroveZap contracts designed for transitioning user positions between trove managers.
Despite efforts to address the exploit, a core contributor known as “Frank” emphasized the ongoing risk to five accounts with open trove positions, collectively at risk of losing over $500,000.
In collaboration with @PrismaRisk and @wavey0x, we are publishing a comprehensive post-mortem report on yesterday's event. https://t.co/DljZSs3ssK
— Prisma Finance (@PrismaFi) March 29, 2024
We are fully mobilized to retrieve users' funds and we will keep you updated on next steps.
The most important action users can… pic.twitter.com/MUr1yqqBKX
Prisma Finance utilizes “troves,” or Ethereum addresses, for users to manage loans.
The most vulnerable account is reported to hold $484,380, with the remaining four accounts holding between $7,120 and $22,080.
In response to this crisis, Prisma outlined a “path forward” that includes measures to safeguard additional reserves while striving to recoup the pilfered assets.
A proposal introduced on April 1 aims to diminish liquidity from POL and vePRISMA staked revenue as part of these recovery efforts.
To All users🌈
— Prisma Finance (@PrismaFi) March 31, 2024
Make sure to revoke the delegate approval! There are still few adresses left.
Head to https://t.co/fBe5xRfq0U to check if you are concerned.
Stay safe from phishing links🙏 pic.twitter.com/kkBUYyNWKT
In a bold move, the hacker, claiming to be a “white hat” ethical hacker, criticized Prisma Finance for their alleged lack of due diligence and has laid out specific conditions for the return of the funds.
These conditions include a public session where the Prisma team must fully disclose their identities, acknowledge their errors in auditing the smart contracts, and outline plans for enhanced security measures.
The hacker’s demands highlight a contentious debate over the responsibilities and ethics involved in the aftermath of the exploit.
Following the exploit affecting a number of users individual vaults, Prisma Protocol has been paused by the emergency multisig and remaining funds are safe. mkUSD and ULTRA, as stablecoins, are overcollateralized and are not at risk.
— Prisma Finance (@PrismaFi) March 28, 2024
Further steps will include:
– Post Mortem
-… https://t.co/5hCptyuP9q
As the dialogue between Prisma Finance and the hacker unfolds through on-chain messages, the community watches closely.
The hacker’s insistence on a public apology and acknowledgment of no wrongdoing on their part adds a layer of complexity to the situation.
Prisma’s retort underscores skepticism about the hacker’s intentions, noting the absence of any returned funds as a gesture of good faith.
The incident has had a profound impact on Prisma Finance, with its total value locked plummeting from approximately $220 million to $87 million.
🚨DETAILS: ONGOING PRISMA FINANCE EXPLOIT – AT LEAST $10 MILLION STOLEN🚨
— BSCN (@BSCNews) March 28, 2024
– @PrismaFi, which currently boasts around $223 million according to DefiLlama, has suffered an exploit which appears to be ongoing.
– The hack was first highlighted by @CyversAlerts which is currently… https://t.co/fpPri68GAW pic.twitter.com/44R6Xc0Kg5
Observations from blockchain security firms indicate that the hacker has begun converting the stolen assets to Ethereum, with a portion being transferred to the OFAC-sanctioned mixer Tornado Cash.
This ongoing saga not only sheds light on the vulnerabilities within DeFi platforms but also raises critical questions about accountability, security practices, and the path to restitution following such exploits.
About The Author
Victor Fawole, a seasoned Web3 content creator and social media influencer, excels in bringing the pulse of the crypto world to our readers.
With a keen eye for emerging trends and a talent for engaging storytelling, Victor’s articles offer a fresh perspective on the ever-evolving digital currency landscape.
Check Victor out on:
