Decentralized finance (DeFi) protocols Exactly and Harbor were exploited on Aug. 18 in two separate — and apparently unrelated — attacks, according to blockchain security firms DeDotFi and PeckShield.
On-chain data reveals 4,323.6 Ether (ETH), worth nearly $7.3 million at the time of writing, had been stolen from Exactly Protocol. The hackers then bridged 1,490 ETH using the Across Protocol and 2,832.92 ETH to the Ethereum network via Optimism Bridge.
Update: After a thorough review of the Exactly Protocol Hack, we have concluded that the total of stolen amount up to date is ~$7.2M (4323.6 $ETH)— De.Fi ️ Web3 Antivirus (@DeDotFiSecurity) August 18, 2023
Eventually, they bridged ~1490 $ETH, using Across Protocol, and 2,832.92 $ETH to Ethereum via Optimism Bridge:… https://t.co/s61ai1OEMd
Exactly is one of the crypto lenders on the Optimism network. Initial reports mentioned over 7,160 ETH stolen, worth nearly $12 million, but were later revised to a smaller amount. The attacker targeted the DebtManager periphery contract, according to Exactly:
“The attacker passed in a malicious market contract address, bypassing the permit check, and executed a malicious deposit function to steal assets deposited by users. Approximately $7.3M were stolen.“
The protocol filed a police report and is trying to communicate with the attackers to return the stolen assets, its team noted on X (formerly Twitter).
In another security incident, the interchain stablecoin protocol Harbor disclosed being the victim of an attack that led to the loss of funds sitting on its stable-mint, as well as stOSMO, LUNA and WMATIC vaults. At the time of writing, the amount of crypto assets stolen remains unclear. Harbor is said to be working on tracing funds and estimating the total losses.
The attacks follow a number of security incidents across the DeFi ecosystem over the past few weeks. On July 30, a vulnerability in three versions of the Vyper programming language resulted in over $61 million being stolen from stablecoin pools on Curve Finance. Other protocols compromised in the past days include Earn.Finance, with at least $287,000 worth of ETH stolen, in addition to $2.1 million in losses incurred by Zunami Protocol in another exploit.