ARTICLE AD
With the exploiter now targeting vault approvals, ConcentricFi has urged its users to revoke all approvals and cease any interaction.
ConcentricFi, an Arbitrum-based liquidity management protocol, has confirmed a security breach on its smart contract.
We regret to inform you that our protocol has suffered a severe security breach due to a targeted social engineering attack on one of our team members holding the deployer wallet. This unfortunate incident led to unauthorized access and subsequent exploitation of our protocol.…
— Concentric.fi (@ConcentricFi) January 22, 2024
ConcentricFi’s confirmation of the incident was based on an initial alert from blockchain security firm CertiK, which estimated $1.6 million in damages from the breach based on its assessment of the threat actor’s wallet.
CertiK stated a follow-up on its evaluation, disclosing that the wallet 0x5A58D1a81c73Dc5f1d56bA41e413Ee5288c65d7F which was previously linked to the OKX exploit on December 13, 2023, is likely the same threat actor responsible for the security breach on ConcentricFi.
ConcentricFi operates an automated liquidity management platform on the Arbitrum blockchain network. The platform utilizes Camelot v3 to allocate assets algorithmically toward high-yielding investment opportunities.
One of the main features offered by ConcentricFi is Concentric Vaults, which allow users to deposit liquidity provider (LP) tokens representing a share of funds in a liquidity pool. The protocol automatically seeks to optimize the yield earned on the deposited LP tokens.
According to the ConcentricFi documentation, based on its yield optimization algorithm, the protocol generates yield by reallocating LP tokens among yield-bearing investment products. This allows Concentric Vaults to continuously compound returns for liquidity providers while requiring minimal input after the initial deposit.
The Camelot v3 protocol aims to maximize yields on deposited assets by automatically directing funds to the most profitable opportunities available at any given time across decentralized finance markets on Arbitrum. This system was designed to reduce the complexity of yield optimization for liquidity providers.
ConcentricFi’s initial report on the breach revealed that the initial attack vector was social engineering. The threat actor compromised the wallet of a team member who had access to deploy contracts and make protocol upgrades. This gave the attacker that same privileged access.
Though ConcentricFi’s vaults holding user funds were audited beforehand, they contained a vulnerability — the vault contracts were upgradeable by the deployer. The attacker used their privileged access to upgrade the vault contracts to their code, creating three ConeCamelotVault contracts.
With the upgraded vault contracts, the attacker inserted malicious code that allowed them to mint new LP tokens and drain funds from the vaults.
The root causes were the need for multisig-based admin roles and the unnecessary upgradeability of the vaults. These two issues allowed the attacker to gain and exploit full privileged access.
The protocol has since urged its users to revoke all approvals from a set of addresses.
Exploiter is now targeting approvals on vaults, please revoke all approvals to these addresses:https://t.co/3vTEWu23BJ https://t.co/KlZo5PqjlI
— Concentric.fi (@ConcentricFi) January 22, 2024
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.