Decentralized finance (DeFi) entity Prisma Finance is grappling with the aftermath of a $11.6 million security breach, revealing that approximately $540,000 in user funds remains vulnerable due to unrevoked permissions linked to the compromised smart contract. Concurrently, the individual claiming responsibility for the breach, describing themselves as a “white hat” hacker, stipulates a public apology and team disclosure as conditions for returning the stolen assets.
Urgent Measures and Continued Vulnerabilities
In a detailed update on April 1, Prisma core contributor, known as “Frank,” outlined ongoing efforts to safeguard remaining assets and resume protocol operations. Highlighting the critical need for user vigilance, Frank emphasized the protocol’s immediate focus on reactivating services once users’ wallets and positions are secured. The exploit, rooted in two MigrateTroveZap contracts intended for user position migration, left 14 accounts with unrevoked contract permissions, placing over $500,000 at imminent risk.
Prisma’s protocol, designed to facilitate decentralized borrowing through Ethereum-based “troves,” now faces the challenge of safeguarding these vulnerable accounts, including one notably containing $484,380.
Strategic Recovery Efforts
As part of its recovery blueprint, Prisma aims to bolster its financial reserves while endeavoring to recoup the purloined funds. A proposition introduced on April 1 suggests diminishing liquidity and adjusting staked revenue models as measures to consolidate resources. Prisma reassures its user base that the exploited contract was isolated, planning a protocol relaunch once all user assets are deemed secure.
Exploiter’s Conditions for Fund Return
The alleged “white hat” hacker has put forth specific demands before any funds are returned, accusing Prisma Finance of negligence and insisting on a public acknowledgment of their errors. The hacker’s requirements include a digital conference where Prisma’s team must openly identify themselves, admit to the oversight in their smart contract audit, and detail plans for heightened security protocols. Furthermore, the exploiter seeks an official declaration absolving them of any responsibility in the incident.
In response, Prisma criticized the exploiter’s lack of cooperation in returning the stolen assets, challenging the genuineness of their intentions to remedy the situation. This standoff continues amidst on-chain dialogues, with both parties yet to reach a resolution.
Since the breach, blockchain security firms like Cyvers and Peckshield reported that the exploiter began converting the stolen assets to Ether (ETH), with a portion funneled through the OFAC-sanctioned cryptocurrency mixer Tornado Cash. The incident precipitated a significant decline in Prisma Finance’s total value locked (TVL) on the protocol, dropping from approximately $220 million to $87 million as per DefiLlama’s data.
| Aspect | Detail |
|---|---|
| Funds at Risk | $540,000 |
| Exploit Amount | $11.6 million |
| Vulnerable Accounts | 14 (5 at high risk) |
| Recovery Proposals | Reduce POL liquidity, adjust staked revenue |
| Exploiter’s Demands | Public apology, team identity disclosure |
| Security Observations | Funds converted to ETH, use of Tornado Cash |
| TVL Impact | Decreased from $220 million to $87 million |
The Prisma Finance exploit underscores the intricacies and challenges of maintaining security within the DeFi space. As the community navigates the path to resolution, the incident highlights the critical importance of transparent operations, rigorous security audits, and the delicate balance between innovation and user safety. The ongoing dialogue between Prisma Finance and the self-described “white hat” hacker exemplifies the complex ethical considerations inherent in cybersecurity and the DeFi sector.
Featured image credit: Invexic via Medium