Exploit Analysis and Reimbursement Plan

Analysis of the Exploit occurring August 8th on the Steadefi protocol along with the outline of a reimbursement plan for recovered funds.
profile photo
Jeff Lam

Overview

7th August 2023 4:00 pm UTC, $1.15m USD of assets were drained by the exploiter. As of 13th August 2023, these funds are being sent through Tornado Cash in 100 ETH deposits.
  • Root causes of the exploit were malware injection and improper operational security.
  • Some users were able to safely withdraw $300k USD of assets.
  • Steadefi team was able to recover $540k USD of assets.
  • Reimbursement of the recovered assets will be live on site soon.

High Level Timeline of Events

Please toggle here to view the timeline

Findings from Initial Investigations

Two primary points of failure
1) Malware injection from a targeted social engineering attack
On 17th June 2023, in a telegram chat conversation started between Steadefi management and the “Spirit Blockchain Group”, a front for a fund looking to invest into crypto projects.
From this chat group, a file was downloaded and opened and a malware was likely injected.
On 28th June 2023, based on the Metamask logs and verified by the Metamask team, Jeff’s Metamask seed phrases (which include the sole deployer account) were copied.
Please note that this is part of an ongoing investigation and we do not have direct evidence of the malware copying the seed phrase
2) Lack of attention to proper operational security processes
The deployer account had too many permissions as an owner of all contracts.
There was no process in place to transfer ownership of deployed contracts to a multisig account with enough trusted signers.

Reimbursement for the Recovered Funds

Review of On-Chain Calculations
Funds stolen
Avalanche: $329,810.83 Arbitrum: $794,829.17
Funds recovered*
Avalanche: $129,874.86 Arbitrum: $420,845.32
User withdrawals (Lending vaults)
Avalanche: $158,607.76 Arbitrum: $178.33**
User withdrawals (Strategy vaults)
Avalanche: $81,962.22 Arbitrum: $59,090.06
Total: $1,975,198.54
*Original amount was recovered partially in AVAX and ETH, which incurred a slight drop due to a market downturn
**The attacker paused the Arbitrum Farms early in the attack, which prevented users from withdrawing.
The loss of funds for each affected user was calculated via on-chain snapshots, which included the unclaimed esSTEADY left in the paused Farm contracts.
Excluding any funds safely withdrawn, the funds recovered ($540k) are now being distributed proportionally to all of the affected wallets.
Users are now able to claim their reimbursement in USDC on our website: https://steadefi.com/claim
Please be sure your affected wallet address is connected to the correct chain for claiming.

Next Steps to Come

The Steadefi team still maintains confidence in the profitability of our strategies and the soundness of our smart contracts. Before this exploit, we were eager to unveil some new vaults across multiple chains that would have positioned us at the front of DeFi yield strategies.
With this in mind, we are still working with various stakeholders, both for the potential recovery of the protocol and the compensation of our affected users. We aim to release the details of this plan as soon as its finalized.
Related posts
post image
Announcements
Team Updates
Steadefi Relaunch & Compensation Plan
Details of the Steadefi relaunch including a long-term compensation plan for affected users.
post image
Steadefi V3 vaults migration + Liquid Restaking strategy vaults
post image
Steadefi V2 Vaults migration
Powered by Notaku