Seneca Recovers 80% of Funds After $6.4M Exploit

The Seneca Protocol hacker has given back $5.3 million worth of Ether tokens after draining $6.4 million on Ethereum and Arbitrum networks. Initial investigations suggested that an approval mechanism bug in the protocol’s smart contract was exploited.

The stablecoin protocol had recently confirmed roping in with law enforcement but offered leniency, stating the team wouldn’t take legal steps if the hacker returned 80% of the funds, keeping 20% as a reward.

Seneca Hacker Returns 80% of Stolen Funds

The vulnerability stemmed from a function in the Seneca protocol’s smart contract code called ‘performOperations.’ This function, open to external calls, lacked adequate validation for its inputs.

The absence of input validation is a critical oversight in smart contract development. Exploiting this flaw, the attacker crafted specific data to trigger conditions, enabling them to invoke any contract on the blockchain with arbitrary data.

This capability grants the attacker unrestricted access to interact with other contracts, masquerading as vulnerable ones. As a result, the attacker proceeded to transfer assets from addresses authorized to the now-compromised contracts.

Crypto security researcher Daniel Von Fange discovered the flaw and was allegedly expelled from the project’s Discord server, where the team was removing mentions of the exploit.

According to Peck Shield’s latest update , the exploiter sent 1,537 Ethereum to a Seneca address, which is the main address connected to the exploit. The hacker retained 300 ETH, worth approximately $1 million, and received the 20% reward offered by Seneca. Subsequently, they transferred the ETH to two separate addresses.

Seneca Protocol suffered a massive breach on February 28th that resulted in its native token SEN extending 80% losses in a day. Initially, losses were estimated to be around 3 million, but further investigation revealed that over 1,900 Ether, worth around $6.4 million, were stolen in the exploit.

Later, Seneca issued a statement that it is collaborating with experts to investigate the exploit. The protocol then announced a reward of $1.2 million for the recovery of the stolen funds.

Seneca’s Confirmation

Seneca confirmed in an official update on Wednesday that 80% of the funds have been successfully returned. It said that the exploit primarily targeted assets held in users’ wallets, clarifying that Seneca’s own funds were not directly affected.

Instead, the exploit focused on external user assets within the Seneca ecosystem.

“The Chamber code deployed is the exact same as that which underwent the audit, except for fixes explicitly suggested by the auditing company and implemented in the precise ways indicated. An audit is in no way a guarantee of absolute safety, but it’s worth noting that Seneca chose to work with a major auditing company for the very purpose of securing the Chamber contract.”