A bug in crypto lending platform Seneca Protocol was exploited on Wednesday to steal funds directly from users’ wallets. Losses so far exceed $3 million on the Ethereum and Arbitrum networks.
Seneca is a decentralized finance (DeFi) project that allows users to borrow the stablecoin senUSD against yield-bearing assets such as deposit tokens and liquid staking tokens (LSTs).
The suspicious transactions were brought to the attention of the crypto community by pseudonymous X (formerly Twitter) user Spreek.
Looks like Seneca Protocol has a critical approval exploit (open external call). $3m+ lost so far across eth/arb pic.twitter.com/MkbNShtPUm
— Spreek (Denver 28th-5th) (@spreekaway) February 28, 2024
Read more: Ethereum liquid staking braces for April 12 withdrawals
Crypto security researcher Daniel Von Fange identified the bug in Seneca’s code, adding that he was removed from the project’s Discord where the team was deleting references to the exploit.
Another user, going by ‘cawfree’ on X, claims to have warned the project of this exact issue in November, before being blocked by Seneca. An audit contest was also abandoned in November, five days before launch.
According to security firm Peckshield, the contracts in question are unable to be paused, leaving the users themselves responsible for revoking token approvals to the affected addresses.
We are actively working with security specialists to investigate the approval bug found today.
— Seneca (@SenecaUSD) February 28, 2024
In the meantime, REVOKE approvals for the following addresses:#Ethereum
PT-ezETH 0x529eBB6D157dFE5AE2AA7199a6f9E0e9830E6Dc1
apxETH 0xD837321Fc7fabA9af2f37EFFA08d4973A9BaCe34…
What are token approvals?
Unlike regular users’ Ethereum addresses, smart contract addresses are unable to initiate transfers on their own.
This means that any user wishing to swap tokens via a decentralized exchange (DEX) or deposit funds into certain DeFi platforms must first grant approval to the contract in charge of these operations. This allows the contract to spend tokens directly out of the user’s wallet, up to a defined limit.
However, clunky user interfaces, high gas fees, and repeat visits mean that many users tend to opt for granting unlimited approvals rather than going through the process for each interaction.
As today shows, this situation is ripe for exploitation by hackers who manage to manipulate contracts into sending any pre-approved tokens from users’ wallets directly to the hackers themselves.
In one particularly costly incident, Badger DAO users (including disgraced crypto lender Celsius) lost $120 million when the platform’s website was hacked to ‘harvest’ token approvals from users over a period of 12 days.
Read more: The Mashinskys used Celsius to promote Strong blockchain — and it still failed
A proposed solution to the standard token approval mechanism, used by leading DEX Uniswap, relies on permit2 signatures to handle approvals. However, permit2 isn’t without its drawbacks, as the added complexity make it difficult for users to understand what they are signing.
Phishing scammers are able to take advantage of this fact to steal crypto, even from those who attempt to revoke their approvals.