Analysis of the Exploit occurring August 8th on the Steadefi protocol along with the outline of a reimbursement plan for recovered funds.
Jeff Lam
Overview
7th August 2023 4:00 pm UTC, $1.15m USD of assets were drained by the exploiter. As of 13th August 2023, these funds are being sent through Tornado Cash in 100 ETH deposits.
Hypernative alerted the team immediately and triggered emergency actions which were available only to the newly launched vaults
Hypernative and the Steadefi engineering team began contact within 5 minutes of the exploit, and were on a call within 15 minutes
Root causes of the exploit were malware injection and improper operational security.
Some users were able to safely withdraw $300k USD of assets.
Steadefi team was able to recover $540k USD of assets.
Reimbursement of the recovered assets will be live on site soon.
High Level Timeline of Events
Please toggle here to view the timeline
7th August 4:06 UTC — Attacker begins to transfer ownership on Steadefi lending and strategy vaults on both Arbitrum and Avalanche. Ownership transferred from the owner (which is also the deployer) wallet to the exploiter’s wallet(s): 0x9cf71F2ff126B9743319B60d2D873F0E508810dc on both chains.
7th August 4:06 UTC — Emergency Shutdown (triggered by Hypernative) activates prior to the transfer of ownership, effectively shutting down newly launched vaults that have Hypernative integrated.
7th August 4:15pm UTC — The Steadefi team gets on a call with Hypernative team in response to the alerts for the attack.
7th August 4:19pm UTC — Ownership transfer of all lending and strategy vaults is completed by the exploiter.
7th August 4:22pm-4:44pm UTC — Exploiter approved their wallet(s) as a borrower and “borrowed” all available lending liquidity on both Arbitrum and Avalanche.
7th August 5:10pm UTC — Various crypto assets held in the deployer were transferred from the deployer to the exploiter’s wallet.
7th August 5:19pm UTC — A “war room” is created with the Steadefi team, the Hypernative team, chain ecosystem reps and relevant supportive external protocols. Hypernative set up tracking on the exploiter address to be alerted on any movement of funds. Relevant parties (CEXes, bridges, block explorers, etc.) are informed to mark the exploiter address in their platforms.
Circumstances for Pre-Recovery: The exploiter having ownership of the contracts, approved themselves as a borrower using the owner-only approvedBorrower function that would allow themselves to borrow any available assets. After borrowing all available funds to max capacity, the exploiter was unable to borrow more funds, leaving some funds trapped in the lending vaults until the strategy vault depositors withdrew from their positions. However, strategy vault depositors in this case would not be able to withdraw their positions as the exploiter had also paused the Farm contracts on both chains. Without being able to withdraw from the Farms, users would not be able to withdraw from the strategy vaults. Thus, the remaining funds were deemed “trapped” by the exploiter.
1) Malware injection from a targeted social engineering attack
On 17th June 2023, in a telegram chat conversation started between Steadefi management and the “Spirit Blockchain Group”, a front for a fund looking to invest into crypto projects.
From this chat group, a file was downloaded and opened and a malware was likely injected.
On 28th June 2023, based on the Metamask logs and verified by the Metamask team, Jeff’s Metamask seed phrases (which include the sole deployer account) were copied.
Please note that this is part of an ongoing investigation and we do not have direct evidence of the malware copying the seed phrase
2) Lack of attention to proper operational security processes
The deployer account had too many permissions as an owner of all contracts.
There was no process in place to transfer ownership of deployed contracts to a multisig account with enough trusted signers.
Reimbursement for the Recovered Funds
Review of On-Chain Calculations
Funds stolen
Avalanche: $329,810.83
Arbitrum: $794,829.17
Funds recovered*
Avalanche: $129,874.86
Arbitrum: $420,845.32
User withdrawals (Lending vaults)
Avalanche: $158,607.76
Arbitrum: $178.33**
User withdrawals (Strategy vaults)
Avalanche: $81,962.22
Arbitrum: $59,090.06
Total: $1,975,198.54
*Original amount was recovered partially in AVAX and ETH, which incurred a slight drop due to a market downturn
**The attacker paused the Arbitrum Farms early in the attack, which prevented users from withdrawing.
The loss of funds for each affected user was calculated via on-chain snapshots, which included the unclaimed esSTEADY left in the paused Farm contracts.
Excluding any funds safely withdrawn, the funds recovered ($540k) are now being distributed proportionally to all of the affected wallets.
Please be sure your affected wallet address is connected to the correct chain for claiming.
Next Steps to Come
The Steadefi team still maintains confidence in the profitability of our strategies and the soundness of our smart contracts. Before this exploit, we were eager to unveil some new vaults across multiple chains that would have positioned us at the front of DeFi yield strategies.
With this in mind, we are still working with various stakeholders, both for the potential recovery of the protocol and the compensation of our affected users. We aim to release the details of this plan as soon as its finalized.
