7th August 2023 4:00 pm UTC, $1.15m USD of assets were drained by the exploiter. As of 13th August 2023, these funds are being sent through Tornado Cash in 100 ETH deposits.
- Root causes of the exploit were malware injection and improper operational security.
- Some users were able to safely withdraw $300k USD of assets.
- Steadefi team was able to recover $540k USD of assets.
- Reimbursement of the recovered assets will be live on site soon.
High Level Timeline of Events
Please toggle here to view the timeline
Findings from Initial Investigations
Two primary points of failure
1) Malware injection from a targeted social engineering attack
On 17th June 2023, in a telegram chat conversation started between Steadefi management and the “Spirit Blockchain Group”, a front for a fund looking to invest into crypto projects.
From this chat group, a file was downloaded and opened and a malware was likely injected.
On 28th June 2023, based on the Metamask logs and verified by the Metamask team, Jeff’s Metamask seed phrases (which include the sole deployer account) were copied.
Please note that this is part of an ongoing investigation and we do not have direct evidence of the malware copying the seed phrase
2) Lack of attention to proper operational security processes
The deployer account had too many permissions as an owner of all contracts.
There was no process in place to transfer ownership of deployed contracts to a multisig account with enough trusted signers.
Reimbursement for the Recovered Funds
Review of On-Chain Calculations
Avalanche: $329,810.83 Arbitrum: $794,829.17
Avalanche: $129,874.86 Arbitrum: $420,845.32
User withdrawals (Lending vaults)
Avalanche: $158,607.76 Arbitrum: $178.33**
User withdrawals (Strategy vaults)
Avalanche: $81,962.22 Arbitrum: $59,090.06
*Original amount was recovered partially in AVAX and ETH, which incurred a slight drop due to a market downturn
**The attacker paused the Arbitrum Farms early in the attack, which prevented users from withdrawing.
The loss of funds for each affected user was calculated via on-chain snapshots, which included the unclaimed esSTEADY left in the paused Farm contracts.
Excluding any funds safely withdrawn, the funds recovered ($540k) are now being distributed proportionally to all of the affected wallets.
Users are now able to claim their reimbursement in USDC on our website: https://steadefi.com/claim
Please be sure your affected wallet address is connected to the correct chain for claiming.
Next Steps to Come
The Steadefi team still maintains confidence in the profitability of our strategies and the soundness of our smart contracts. Before this exploit, we were eager to unveil some new vaults across multiple chains that would have positioned us at the front of DeFi yield strategies.
With this in mind, we are still working with various stakeholders, both for the potential recovery of the protocol and the compensation of our affected users. We aim to release the details of this plan as soon as its finalized.