Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/deltaprimeuncheckedsmartcontractinputs.php}} {{Unattributed Sources}} DeltaPrime Logo/HomepageDeltaPrime is a decentralized lending platform which aims to be more capital efficient, but still fully collateralized. The project obtained multiple smart contract audits, however evidence was also present that they may have hired developers from North Korea. On N..."

2024-11-12T22:36:51Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/deltaprimeuncheckedsmartcontractinputs.php}} {{Unattributed Sources}} thumb|DeltaPrime Logo/HomepageDeltaPrime is a decentralized lending platform which aims to be more capital efficient, but still fully collateralized. The project obtained multiple smart contract audits, however evidence was also present that they may have hired developers from North Korea. On N..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/deltaprimeuncheckedsmartcontractinputs.php}}
{{Unattributed Sources}}

[[File:Deltaprime.jpg|thumb|DeltaPrime Logo/Homepage]]DeltaPrime is a decentralized lending platform which aims to be more capital efficient, but still fully collateralized. The project obtained multiple smart contract audits, however evidence was also present that they may have hired developers from North Korea. On November 11th, an unchecked input drained separate smart contracts on both Arbitrum and Avalanche, leading to a large loss between $4.75m and $4.85m. There were allegations that the DeltaPrime team may have ignored vulnerabilities identified by PeckShield in an audit. However, DeltaPrime refutes this. DeltaPrime has a compensation program which has been underway from their September breach and has not yet announced plans of further compensation to affected users.<ref name="rektnews-16761" /><ref name="certikalerttwitter-16762" /><ref name="arbiscan-16763" /><ref name="certikalerttwitter-16764" /><ref name="deltaprimedefitwitter-16765" /><ref name="deltaprime-15051" /><ref name="deltaprimedocs-15052" /><ref name="rekthqtwitter-16766" /><ref name="deltaprimedefitwitter-16767" />

== About DeltaPrime ==
"Be The Whale. Your trustless, transparent, prime brokerage on Avalanche and Arbitrum. Deposit and securely earn high APYs. Borrow up to 5x your collateral, explore intuitive investment strategies and unlock your capital's full potential."

"Unlock the full potential of your capital with the Prime Account: an empowered, escrow smart contract, just for you."

"Traditional lending systems like banks rely on trust and credit checks to ensure loan repayment. When that trust is broken, everyone feels it." "Trustless lending platforms like Aave / Radiant rely on locking high amounts of collateral to ensure loan repayment. This locked liquidity is trapped, harming the chain the platform is in."

"Prime Brokerage solutions (read: DeltaPrime) rely on keeping access to borrowed funds to ensure loan repayment. While a borrower can use and profit from their collateral and borrowed funds to use in other DeFi platforms, funds are always accessible by an automated escrow smart contract. This ensures trustless loan repayment, without the need for credit checks."

"a protocol that promises "Delta-grade security,""

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
"an unchecked input validation flaw has cost users another $4.85 million across Arbitrum and Avalanche chains."
{| class="wikitable"
|+Key Event Timeline - DeltaPrime Unchecked Smart Contract Inputs
!Date
!Event
!Description
|-
|November 11th, 2024 12:41:06 AM MST
|Arbitrum Blockchain Exploit Transaction
|The exploit on the Arbitrum blockchain, worth a total of $750k.
|-
|November 11th, 2024 1:39:00 AM MST
|CertiK Report On Arbitrum
|CertiK reports a $750k loss via Arbitrum from unchecked smart contract protocol inputs. This has drained "[m]ultiple @DeltaPrimeDefi pools on Arbitrum" "due to vulnerability in the periphery adaptor contract".
|-
|November 11th, 2024 2:04:00 AM MST
|DeltaPrime Confirms Breach
|DeltaPrime posts on X to confirm that they have been breached and provide a total loss estimate of $4.75m. At this time, they have paused both smart contracts and "the risk is contained".
|-
|November 11th, 2024 2:21:00 AM MST
|CertiK Loss Update Avalanche
|CertiK responds to update the total loss to $4.75m and report the additional losses via exploiting the Avalanche smart contracts.
|-
|November 11th, 2024 3:36:00 PM MST
|Rekt Investigation Published
|Rekt publishes an investigation of the exploit, in which they claim that DeltaPrime ignored suggestions to improve the smart contract further.
|-
|November 12th, 2024 7:30:00 AM MST
|DeltaPrime Provides An Update
|DeltaPrime provides an update on the situation. In this update, they claim that Rekt has misstated them ignoring audit advice, and ask for clarification.
|-
|November 12th, 2024 7:46:00 AM MST
|DeltaPrime Follow Up To Rekt
|DeltaPrime puts a comment on the Rekt post asking for them to "review [their] statements on this and rectify the article and tweet".
|}

== Technical Details ==
"Here's a few words on what happened from a non-dev. I'll try to keep it as simple as possible so it's understandable for everyone. This does mean I will have to oversimplify elements. The full post mortem will dive into all details:

• Attacker flashloaned a Lot of WAVAX (and WETH), which was provided as collateral to his Prime Account

• This was used to create large loans, which subsequently were converted to more WAVAX

• A malicious contract was created that mimicked a TJ pair so that when our contracts tried to get the TJ rewarder address for the pair, it actually returned the attacker's malicious contract address

• The ClaimRewards() function was triggered. This function has no solvency check as rewards do not add to solvency of an account (and the check makes transactions significantly more expensive).

• This function took the malicious contract as an argument, allowing the malicious code to be executed mid-transaction

• The malicious code allowed wrapping all AVAX into WAVAX in the middle of the claim() method execution, tricking the PA into believing it was a part of the reward that should be paid out

• All WAVAX was taken out of the PA, leaving the pools with a deficit equal to the max borrowable amount (the loss)"

== Total Amount Lost ==
"Multiple @DeltaPrimeDefi pools on Arbitrum were drained, likely due to vulnerability in the periphery adaptor contract, resulting a loss of about $750K."

"Within minutes, the attacker had drained $750K from Arbitrum – but they were just getting warmed up.

Their next target? The protocol's Avalanche deployment, where another $4.1M would soon vanish. Different chain, same painful lesson."

The total amount lost has been estimated at $4,850,000 USD.

== Immediate Reactions ==
"DeltaPrime was just exploited on Avalanche and Arbitrum for a total of (initial estimate) $4.75mm.

With the protocol being paused on both chains, the risk is contained. We will provide updates asap."

== Ultimate Outcome ==
"There are three elements that must be finished before reopening:

1) Fixing the bug
2) Resetting interest rates (paused PAs don't pay interest)
3) preventing first-come-first-serve on the pools"

== Total Amount Recovered ==
The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="rektnews-16761">[https://rekt.news/deltaprime-rekt2/ Rekt - DeltaPrime - Rekt II] (Accessed Nov 12, 2024)</ref>

<ref name="certikalerttwitter-16762">[https://twitter.com/CertiKAlert/status/1855893120040497278 @CertiKAlert Twitter] (Accessed Nov 12, 2024)</ref>

<ref name="arbiscan-16763">[https://arbiscan.io/address/0x56e7f67211683857ee31a1220827cac5cdaa634c https://arbiscan.io/address/0x56e7f67211683857ee31a1220827cac5cdaa634c] (Accessed Nov 12, 2024)</ref>

<ref name="certikalerttwitter-16764">[https://twitter.com/CertiKAlert/status/1855903698259456424 @CertiKAlert Twitter] (Accessed Nov 12, 2024)</ref>

<ref name="deltaprimedefitwitter-16765">[https://twitter.com/DeltaPrimeDefi/status/1855899502944903195 @DeltaPrimeDefi Twitter] (Accessed Nov 12, 2024)</ref>

<ref name="deltaprime-15051">[https://deltaprime.io/ DeltaPrime] (Accessed Aug 20, 2024)</ref>

<ref name="deltaprimedocs-15052">[https://docs.deltaprime.io/ Unlock the Blockchain | DeltaPrime] (Accessed Aug 20, 2024)</ref>

<ref name="rekthqtwitter-16766">[https://twitter.com/RektHQ/status/1856103654467445153 @RektHQ Twitter] (Accessed Nov 12, 2024)</ref>

<ref name="deltaprimedefitwitter-16767">[https://twitter.com/DeltaPrimeDefi/status/1856347726407205092 @DeltaPrimeDefi Twitter] (Accessed Nov 12, 2024)</ref></references>

DeltaPrime Unchecked Smart Contract Inputs - Revision history