In a recent cyber attack, Prisma Finance, a decentralized finance (DeFi) protocol known for its stablecoins supported by Ethereum liquid staking and re-staking tokens (LRTs), suffered a significant loss of approximately $12 million. The exploit, which occurred on March 28, 2024, has raised concerns about the security of DeFi platforms and the need for robust defenses against such attacks.

The Vulnerability and Exploitation

The attackers targeted a vulnerability within the Prisma Finance MigrateTroveZap contract. This contract failed to validate data from onFlashloan() operations, allowing the attackers to manipulate the migration process. Here’s how the attack unfolded:

  1. Exploitation: The attackers exploited the vulnerability by manipulating the migration process, resulting in the loss of assets.
  2. Flash Loans: The attackers used multiple flash loan transactions to siphon off 2,821.3 Wrapped Staked Ether (wstETH).
  3. Asset Swap: The stolen wstETH was swiftly swapped for 3,257.69 Ether (ETH), valued at approximately $11.6 million at the time of the attack.

DeFi security breach

Prisma Finance’s Response

The Prisma Finance team promptly responded to the incident. The protocol was paused by its emergency multi-signature wallet, ensuring the safety of the remaining funds. Fortunately, mkUSD and ULTRA stablecoins remain overcollateralized and are not at risk.

Next Steps

Prisma Finance aims to publish a detailed post-mortem on the incident and explore avenues to retrieve the stolen funds.

Leave a Reply

Your email address will not be published. Required fields are marked *