The hacker called "white" hacking of Prisma for $11 million. But I haven't returned the funds yet.
Liquid staking platform Prisma Finance acknowledged the loss of 3257 ETH (~$11 million) as a result of the exploit on March 28. The hacker entered into correspondence with the team about the refund.
In collaboration with @PrismaRisk and @wavey0x, we are publishing a comprehensive post-mortem report on yesterday's event.
https://t.co/DljZSs3ssK
We are fully mobilized to retrieve users' funds and we will keep you updated on next steps.
The most important action users can… pic.twitter.com/MUr1yqqBKX
— Prisma Finance (@PrismaFi) March 29, 2024
According to the investigation, the hacker exploited two smart contracts designed to transfer user positions from one Trove product manager to another.
"The incident became possible due to insufficient verification of input data in the onFlashloan function, which allowed manipulating information and implementing unintended contract behavior," the developers explained.
In addition to the main amount of 3257 ETH, two other users have withdrawn in this way another ~121 wstETH and ~ 52 wstETH, respectively, follows from the explanation.
For security reasons, the team reminded clients to withdraw approval for asset delegation.
"In addition to recovering stolen funds, Prisma's main priority is to restore the protocol and revive it. The most important step required to complete the pause is to ensure the security of all users 'wallets and positions," wrote a key developer under the nickname Frank.
As of March 31, 14 accounts with open approval remained at risk of losing funds, while five wallets "risked" assets worth approximately $500,000.
Frank submitted to the Prisma community a proposal to temporarily reduce the distribution of commission shares to 50% instead of 100%. The goal is to accumulate funds to restore the platform's operation. He acknowledged that the time frame for getting out of this situation remains uncertain.
The intruder called himself "white", but put forward a number of conditions
Meanwhile, the Prisma hacker immediately after the incident entered into correspondence with the team, offering to return the withdrawn assets.
However, he previously asked to answer a number of questions regarding the developers ' understanding of the concept of smart contracts, the need for audit and their responsibilities in case of incidents like this.
Prisma acknowledged that part of the code of the latest update did not pass verification by third-party experts and asked the hacker to return the funds without conditions. The latter in response accused the team of insincerity and suggested that the vulnerability was deliberately planted.
"Dear friends from Prisma, you have not shown any good will! I'm very disappointed with everything you've done. It was just a must-have move! Once again, you still haven't disclosed the three factors I asked you about. Don't try to run away from your mistakes and get rid of your responsibilities. If it wasn't me, it could have been done by others, the Black hats, or someone else," he wrote.
One of the users, who drew attention to the hacker's correspondence with the Prisma team, asked the question: why does the community not discuss the problems raised?
Interesting development in the Prisma events:
A/ The code concerned was not audited
B/ The hacker has demands, part of which were met
C/ The hacker has a mission/motivation
A/ Why audit a migration function?
1. The exploit was on a migration function that was not part of the… pic.twitter.com/a58Zik44Nz
— tokenbrice.eth (@TokenBrice) March 31, 2024
According to the developer under the nickname Tokenbrice, the hacker reasonably drew attention to some aspects:
* the Prisma team independently started migrating user positions to Trove, which was not provided for in the initial protocol deployment plans;
* experienced developers did not submit part of the update code for audit, which is usually used to remove responsibility (for the most part);
* they ignored Deanon's demands from the hacker, as well as his other questions.
"He seems to be interested in expanding the responsibility of DeFi developers: the hero we didn't deserve?" the expert suggested.
