DeltaPrime Arbitrum Private Key Leaked
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
DeltaPrime is a decentralized lending platform which aims to be more capital efficient, but still fully collateralized. Unfortunately it appears that they hired some developers who were actually from North Korea, and this may have resulted in a back door in their systems. This was likely later used to gain access to the private key for their Arbitrum smart contracts. The key was used to upgrade and drain the smart contracts of $5.98m worth of assets. Assets were quickly converted to Ethereum and laundered. The protocol has reported that their insurance fund will cover all losses.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]
About DeltaPrime
"Be The Whale. Your trustless, transparent, prime brokerage on Avalanche and Arbitrum. Deposit and securely earn high APYs. Borrow up to 5x your collateral, explore intuitive investment strategies and unlock your capital's full potential."
"Unlock the full potential of your capital with the Prime Account: an empowered, escrow smart contract, just for you."
"Traditional lending systems like banks rely on trust and credit checks to ensure loan repayment. When that trust is broken, everyone feels it." "Trustless lending platforms like Aave / Radiant rely on locking high amounts of collateral to ensure loan repayment. This locked liquidity is trapped, harming the chain the platform is in."
"Prime Brokerage solutions (read: DeltaPrime) rely on keeping access to borrowed funds to ensure loan repayment. While a borrower can use and profit from their collateral and borrowed funds to use in other DeFi platforms, funds are always accessible by an automated escrow smart contract. This ensures trustless loan repayment, without the need for credit checks."
The Reality
"Idk if related but they were one of the teams with the DPRK IT workers I reached out to warn (was told they were all removed)"
What Happened
"DeltaPrime Blue (Arbitrum) was attacked and drained for $5.98M." "a total of 57 withdrawals were executed."
| Date | Event | Description |
|---|---|---|
| August 15th, 2024 5:36:00 AM MDT | ZachXBT Notes DPRK Developers | ZachXBT posts a list of fake DPRK developers which have been working at different projects, including one which is drained for $1.3m from their treasury. |
| September 15th, 2024 10:02:46 PM MDT | Gas Funding Transaction | The malicious actor funs their account with 0.19 ETH to be used in the attack. |
| September 15th, 2024 10:14:02 PM MDT | First Malicious Contract Upgrade | The very first transaction happens to upgrade a smart contract. |
| September 15th, 2024 10:14:08 PM MDT | First Malicious Withdrawal | Barely seconds later, withdrawal from the first smart contract would start. |
| September 15th, 2024 11:41:00 PM MDT | Chaofan Shou Tweet | Chaofan Shou tweets, reporting that all pools are drained because the "admin private key leaked" and the loss amount is $7m so far. |
| September 16th, 2024 12:15:00 AM MDT | ZachXBT Notes DPRK Involvement | ZachXBT notes that the DeltaPrime project was on his list of projects which had hired fake DPRK workers. |
| September 16th, 2024 12:32:56 AM MDT | Proxy Admin Change Over | The Proxy Admin is changed for all smart contract involved, removing the ability for further modifications to be made. |
| September 16th, 2024 12:36:00 AM MDT | Cyvers Alert Posted | The Cyvers team posts an alert of the DeltaPrime smart contracts, correctly noting the incident is caused by a leaked private key. Total losses at this point are announced to be $4.5m, and the Cyvers team notes the potential for this total to increase. |
| September 16th, 2024 2:55:00 AM MDT | Announcement Of Breach | An announcement is posted on Twitter to highlight the breached private key. Accordingly, the Arbitrum version of the smart contract was drainged for $5.98m, while the Avalanche version was not. |
Technical Details
"In a dizzying display of greed (or thoroughness, depending on your perspective), a total of 57 withdrawals were executed.
The grand finale came with the attacker riding off into the sunrise with their ill-gotten gains.
The loot bag? A mix of USDC, WBTC, and WETH – all swiftly swapped to ETH."
Total Amount Lost
"At 6:14 AM CET DeltaPrime Blue (Arbitrum) was attacked and drained for $5.98M."
The total amount lost has been estimated at $5,980,000 USD.
Immediate Reactions
"ALERT Our system has detected multiple suspicious transactions involving @DeltaPrimeDefi on $ARB chain! (Still ongoing)
It seems that admin has lost the private key. Suspicious address still draining the pools! Affected pools so far are the #DPUSDC, #DPARB, #DPBTCb ! Suspicious address already swapped $USDC to $ETH!
Total estimated loss is around $4.5M so far! however, suspicious address still draining the pools! Total loss might increase!"
"At 6:14 AM CET DeltaPrime Blue (Arbitrum) was attacked and drained for $5.98M. This was due to a compromised private key, the source of which is currently under investigation.
DeltaPrime Red (Avalanche) is not vulnerable to this attack, as the implementation here is covered solely by multisigs and cold wallets (as it should be)."
Ultimate Outcome
"The risk is contained, we're working on asset-retrieval and the insurance pool will cover any potential losses where possible / necessary. Additionally, we're looking into other ways to reduce user losses to a minimum."
Total Amount Recovered
"The risk is contained, we're working on asset-retrieval and the insurance pool will cover any potential losses where possible / necessary. Additionally, we're looking into other ways to reduce user losses to a minimum."
There do not appear to have been any funds recovered in this case.
Ongoing Developments
"We will keep you updated here as well as in our Discord as we move forward."
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Rekt - DeltaPrime - Rekt (Accessed Sep 17, 2024)
- ↑ @DeltaPrimeDefi Twitter (Accessed Sep 17, 2024)
- ↑ Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Sep 17, 2024)
- ↑ Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Sep 17, 2024)
- ↑ Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Sep 17, 2024)
- ↑ @hackenclub Twitter (Accessed Sep 17, 2024)
- ↑ deltaprime-primeloans/audits at dev/main · DeltaPrimeLabs/deltaprime-primeloans · GitHub (Accessed Sep 17, 2024)
- ↑ @CyversAlerts Twitter (Accessed Sep 17, 2024)
- ↑ @zachxbt Twitter (Accessed Sep 17, 2024)
- ↑ @zachxbt Twitter (Accessed Sep 17, 2024)
- ↑ @shoucccc Twitter (Accessed Sep 17, 2024)
- ↑ @RuggedByPhone Twitter (Accessed Sep 17, 2024)
- ↑ DeltaPrime (Accessed Aug 20, 2024)
- ↑ Unlock the Blockchain | DeltaPrime (Accessed Aug 20, 2024)