Decentralized finance (DeFi) protocols Exactly and Harbor were exploited on Aug. 18 in two separate — and apparently unrelated — attacks, according to blockchain security firms DeDotFi and PeckShield.
On-chain data reveals 4323.6 Ether (ETH), worth nearly $7.3 million at the time of writing, had been stolen from Exactly Protocol. The hackers then bridged 1490 ETH using the Across Protocol, and 2,832.92 ETH to the Ethereum network via Optimism Bridge.
Update: After a thorough review of the Exactly Protocol Hack, we have concluded that the total of stolen amount up to date is ~$7.2M (4323.6 $ETH)
— De.Fi ️ Web3 Antivirus (@DeDotFiSecurity) August 18, 2023
Exactly is one of the crypto lenders on the Optimism network. Initial reports mentioned over 7160 ETH stolen, worth nearly $12 million, but were later revised to reflect a smaller amount missing. The attacker targeted the DebtManager periphery contract, according to Exactly:
“The attacker passed in a malicious market contract address, bypassing the permit check, and executed a malicious deposit function to steal assets deposited by users. Approximately $7.3M were stolen.”
The protocol filed a police report and is trying to communicate with the attackers to return the stolen assets, its team noted on X (formerly Twitter).
In another security incident, the interchain stablecoin protocol Harbor disclosed being the victim of an attack that led to the loss of funds sitting on its stable-mint, as well as stOSMO, LUNA and WMATIC vaults. At the time of writing, the amount of crypto assets stolen remains unclear. Harbor is said to be working on tracing funds and estimating the total losses.
The attacks follow a number of security incidents across the DeFi ecosystem over the past few weeks. On July 30, a vulnerability on three versions of the Vyper programming language resulted in over $61 million stolen from stable pools on Curve Finance. Other protocols compromised in the past days include Earn.Finance, with at least $287,000 worth of ETH stolen, in addition to $2.1 million in losses incurred by Zunami Protocol due to another exploit.