LYRADEPOSITWRAPPER

DESCRIPTION OF EVENTS

The victim depositor appears to be a user of the FalconX Exchange. Their wallet was funded by the

Unfortunately, the LyraDepositWrapper has no protection against funds in the smart contract being removed by any third party.

This exploit appears to have been possible shortly after a user incorrectly deposited their million USDC in the LyraDepositWrapper smart contract, by sending the funds to the smart contract instead of calling the appropriate deposit mechanisms. As a result of their error, the funds were immediately able to be removed from the smart contract by a MEV (maximum extractable value) bot.

According to a post by TenArmor, "[i]t appears that the depositToLyra() function of the LyraDepositWrapper contract lacks proper validation for the socketVault parameter, resulting in approvals for the contract to any address."

The losses are exactly $1m USDC, which is generally worth exactly $1m USD.

The incident was reported and immediately noticed by Twitter/X user deeberiroz, and reported shortly thereafter by TenArmor.

It does not appear that significant analysis has been done and put together about the incident. There is no evidence of funds having been returned to the victim Ethereum address.

There is no evidence that any recovery was attempted by the victim.

It is unclear who the victim is, and whether they undertook any efforts to contact and request that their funds be returned by the MEV bot operator.

An Ethereum address with recent withdrawals from the FalconX exchange platform inadvertently deposited $1,000,000 USDC into the LyraDepositWrapper smart contract by sending tokens directly to the contract, rather than using the appropriate deposit method (e.g., depositToLyra()). This direct transfer bypassed the intended logic and protections of the contract and left the funds vulnerable to extraction. A MEV bot detected the funds and exploited the contract to immediately remove the full amount. It is unclear if any efforts have been made to contact the MEV bot owner to request a return of the funds.

TenArmor - "Our system has detected a suspicious attack involving #LyraDepositWrapper on #ETH, resulting in an approximately loss of $1M." - Twitter/X (Sep 19)
LyraDepositWrapper Attack Transaction - Etherscan (Sep 19)
deeberiroz - "Looks like some unlucky soul just sent $1m USDC to a bridge contract directly instead of calling the proper methods, getting it all immediately sweeped by a MEV bot" - Twitter/X (Sep 19)
The Deposit Transaction - Etherscan (Sep 19)
Diabetes Uzi - "This one million USDC was transferred into the contract by someone else, not by the project itself. Why would he do that? Does this mean that this person lost one million dollars?" - Twitter/X (Sep 19)
Victim Depositor Address - Etherscan (Sep 19)
Victim Wallet Funding Transaction - Etherscan (Sep 19)
LyraDepositWrapper Smart Contract - Etherscan (Sep 19)
LyraDepositWrapper Smart Contract Creation - Etherscan (Sep 19)

More case studies

Burned Finance Burn Token
Smart Contract Rewards Exploit

WET Token Redemption Price
Manipulation Flashloan Arbitrage