Seneca stablecoin hacker returns stolen funds after $6.4M exploit

The hacker who gained access to around $6.4 million in ETH from the Seneca stablecoin exploit has returned over $5 million to the project after accepting a 20% bounty.

Seneca stablecoin hacker returns stolen funds after $6.4M exploit

Stablecoin protocol Seneca has offered a 20% bounty to the exploiter who gained access to at least $6.4 million in digital assets after exploiting an approval mechanism bug in the protocol’s smart contract. 

On Feb. 28, multiple blockchain security firms flagged the exploit on the stablecoin protocol. Companies like CertiK warned users about the exploit, urging them to revoke approvals from an address on the Ethereum and Arbitrum networks. Initial estimates of the losses were at $3 million, but it was later found that over 1,900 Ether (ETH), worth about $6.4 million, were taken from the exploit.

Seneca attacker’s wallet showing about $3 million in Ether. Source: CertiK

Security analysts at CertiK explained that the exploit happened due to a critical “call” vulnerability in the protocol’s smart contract. This vulnerability allowed the attacker to perform external calls to any address.

In addition, the project’s contracts did not have a code that could let the team do a “pause” on it. Because of this, users have to revoke permissions.

Related: Shido token plummets 94% as exploiter drains Ethereum staking contract

Seneca said it is working with specialists to investigate what happened. It also offered a $1.2 million bounty for the return of the stolen funds. In an on-chain message on Feb. 29, Seneca asked the hacker to return 80% of the stolen funds to an Ethereum address, allowing the hacker to keep 20%.

Seneca’s on-chain message to the exploiter. Source: Seneca

Within the message, Seneca said it is collaborating with security providers and law enforcement to trace the funds. It urged the hacker to return the funds to avoid legal consequences. “Acting promptly is crucial, so we kindly request that you return the funds as soon as possible to avoid any further legal action,” it wrote.

Hours after Seneca’s message, the hacker returned about 1,537 ETH, worth around $5.3 million, to the wallet address Seneca specified. The exploiter kept 300 ETH, worth around $1 million, and accepted the 20% bounty offered by Seneca. The exploiter then transferred the ETH to two different addresses.

Related Articles

Responses