Seneca Hacker Returns $6 Million Stolen Crypto

The stablecoin protocol Seneca has proposed a 20% reward to the individual who managed to illicitly access at least $6.4 million in digital assets by exploiting a flaw in the approval mechanism of the protocol’s smart contract.

On February 28, several blockchain security companies identified the security breach within the stablecoin protocol.

Firms such as CertiK alerted users to the breach, advising them to withdraw approvals from an address associated with the Ethereum and Arbitrum networks.

The initial damage was believed to be around $3 million, but further investigation revealed that the breach resulted in the loss of over 1,900 Ether, valued at approximately $6.4 million.

CertiK’s security analysts pointed out that the breach was caused by a severe vulnerability in the smart contract's “call” function.

Joe Green, leader of CertiK's rapid response team, shared with Cointelegraph that this flaw permitted the hacker to make unauthorized external calls to any address, thereby transferring assets directly to themselves from addresses that had given permissions to the compromised contracts

.

Green emphasized the importance of scrutinizing external calls, especially during contract upgrades, suggesting that a contract's security at launch could be compromised by subsequent modifications.

He illustrated this with “A entrusts B; B entrusts C; C entrusts D, but a new upgrade may break when A is not supposed to trust D.”

Seneca announced it is engaging experts to delve into the incident and has put forward a $1.2 million bounty for the retrieval of the pilfered funds.

In a public message on February 29, Seneca requested the perpetrator to return 80% of the looted assets to a designated Ethereum address, offering to let the hacker retain 20% of the haul.

In its appeal, Seneca mentioned its collaboration with security firms and law enforcement to track the stolen assets, pressing the hacker to return the funds promptly to circumvent legal repercussions.

“Acting promptly is crucial, so we kindly request that you return the funds as soon as possible to avoid any further legal action,” stated the message from Seneca.

Shortly after issuing this plea, the hacker returned approximately 1,537 ETH, worth about $5.3 million, to the address specified by Seneca.

The offender kept 300 ETH, equivalent to about $1 million, thereby accepting the 20% bounty Seneca had proposed, and then dispersed the remaining ETH to two other addresses.

Sources:

https://cointelegraph.com/news/seneca-hacker-returns-stolen-funds-exploit

https://twitter.com/CertiKAlert/status/1762871285036511328

https://twitter.com/spreekaway/status/1762857769714012217

https://twitter.com/SenecaUSD/status/1762886130561630227

https://twitter.com/SenecaUSD/status/1762999045109248461

https://twitter.com/PeckShieldAlert/status/1763109818766946512