A hacker exploits DeFi protocol Delta Prime by minting an enormous amount of deposit tokens, siphoning millions in USDC, BTC, and ETH.

A recent attack on decentralized finance (DeFi) protocol Delta Prime has resulted in the loss of over $6 million in cryptocurrency. The attacker used an admin account to mint an unprecedented number of deposit receipt tokens, exploiting the system's upgrade functions to drain liquidity pools.

According to blockchain data from Arbiscan, the hacker minted over 115 duovigintillion (1.1 * 10^69) Delta Prime USD (DPUSDC) tokens, a deposit receipt for the USDC stablecoin. Despite minting this massive amount, the attacker only burned 2.4 million of these tokens to withdraw $2.4 million in actual USDC. They repeated similar steps for other assets like Bitcoin (BTC), Ether (ETH), and Arbitrum (ARB), accumulating over $1 million in additional funds.

The exploit was likely initiated by stealing the developer’s private key and gaining control of an admin account. The attacker then used an upgrade function in Delta Prime’s liquidity pool contracts, redirecting each contract to a malicious proxy that allowed them to mint limitless deposit receipt tokens.

Blockchain security expert Chaofan Shou estimated that the total loss stands at $6 million. Delta Prime acknowledged the breach, confirming that nearly $6 million had been drained from its Arbitrum-based protocol, while its Avalanche-based version remained unaffected. The protocol also noted that its insurance might help cover some of the losses.

This incident highlights the ongoing risks DeFi protocols face with upgradeable contracts, which can introduce centralization vulnerabilities if admin accounts are compromised. While upgrading allows developers to fix bugs, it also makes protocols more susceptible to exploits like this one.

Delta Prime's exploit is just the latest in a series of DeFi attacks this year, as the Web3 ecosystem continues to grapple with security challenges.

photo source / Blockonome