Crypto Lending Protocol Exactly Falls Victim to $12M Bridge Exploit
Share this article
In Brief
Exactly, a crypto lending protocol, has lost more than $12 million worth of ETH following a bridge exploit.
Web3 security firm De.FI identified two exploiter contracts that stole over 7,160 ETH.
The exploit involves funding an exploiter contract on Ethereum, moving deposits to Optimism, and then bridging the stolen funds back to Ethereum.
Exactly, a crypto lending protocol, has lost more than $12 million worth of ETH following a bridge exploit.
The attack was first spotted by blockchain security company, Peckshield, which brought it to Exactly’s attention.
Following that, Exactly said that it is actively investigating the issue and has temporarily paused the protocol. However, users can still withdraw their assets.
De.Fi, a Web3 security firm, has taken the initiative to investigate the exploit independently. The firm’s investigation revealed the presence of two exploiter contracts that managed to abscond with a staggering 7,160 ETH, equivalent to more than $12 million in value.
The strategy employed by the attackers involves the creation of an exploiter contract on the Ethereum network. This contract is funded initially, deposits are then shifted to the Optimism network, and then routed back to Ethereum through a bridging mechanism, according to De.Fi.
The two exploiter contracts executed three transactions, transferring substantial sums of 910 ETH, 226,731 USDC, and 2,643,414 USDC. Moreover, De.Fi’s investigation uncovered a series of additional transactions, with some involving the bridging of 1,500 ETH using the Across Protocol.
Exactly’s native token, EXA, has plummeted more than 37% from $6.43 to its current value of $4.11, per CoinMarketCap.
DeFi protocols have been experiencing a series of exploits in recent months. In June, Atomic Wallet was hacked, resulting in $35 million allegedly stolen by North Korea’s Lazarus Group.
In July, cross-chain router protocol Multichain ceased operations after suffering an exploit that led to a loss of $126 million. Nearly $120 million came from Multichain’s Fantom bridge, according to Chainalysis.
The final week of the same month saw EraLend, a crypto lending protocol, facing a $3.4 million setback due to a zkSync exploit.
Similarly, Curve Finance, a DeFi protocol, suffered a significant loss of more than $47 million due to a re-entrancy vulnerability traced back to Vyper—a Pythonic programming language designed for the Ethereum Virtual Machine.
These incidents raise concerns about the vulnerability of crypto lending platforms and the broader DeFi ecosystem, which has been unable to safeguard themselves from these attacks.
Per a report by blockchain analytics firm TRM Labs published today, North Korea has stolen $200 million in cryptocurrency, accounting for over 20% of all stolen crypto this year.
“In recent years, North Korea has almost exclusively targeted the DeFi ecosystem. Cross-chain bridges, which hold increasing volume, are a continued target,” TRM Labs wrote.
As the investigation into this attack continues, Exactly said that its team will provide more details in due time.
Disclaimer
Any data, text, or other content on this page is provided as general market information and not as investment advice. Past performance is not necessarily an indicator of future results.
The Trust Project is a worldwide group of news organizations working to establish transparency standards.
Cindy is a journalist at Metaverse Post, covering topics related to web3, NFT, metaverse and AI, with a focus on interviews with Web3 industry players. She has spoken to over 30 C-level execs and counting, bringing their valuable insights to readers. Originally from Singapore, Cindy is now based in Tbilisi, Georgia. She holds a Bachelor's degree in Communications & Media Studies from the University of South Australia and has a decade of experience in journalism and writing.Get in touch with her via [email protected] with press pitches, announcements and interview opportunities.
More articlesCindy is a journalist at Metaverse Post, covering topics related to web3, NFT, metaverse and AI, with a focus on interviews with Web3 industry players. She has spoken to over 30 C-level execs and counting, bringing their valuable insights to readers. Originally from Singapore, Cindy is now based in Tbilisi, Georgia. She holds a Bachelor's degree in Communications & Media Studies from the University of South Australia and has a decade of experience in journalism and writing.Get in touch with her via [email protected] with press pitches, announcements and interview opportunities.
