Explained: The DeltaPrime Hack (November 2024)

In November 2024, the DeltaPrime platform lost an estimated $4.8 million to an attack. This was the second time the protocol had been hacked within two months.

Inside the Attack

In September 2024, DeltaPrime suffered a hack caused by compromised private keys. The attacker used the privileges assigned to this account to take over and upgrade smart contracts and drain approximately $5.98 million in crypto from the yield farming protocol.

In its second hack of 2024, the root cause of the issue was a smart contract vulnerability in the protocol’s reward claiming mechanism. A failure to perform proper input validation allowed the attacker to create and use a malicious trading pair on the platform.

When the attacker used this trading pair, they were able to convert the collateral used to take out a loan into reward tokens on the platform. This allowed the attacker to withdraw the reward, which was their former collateral. As a result, the DeltaPrime platform is left with bad debt since the attacker has no reason to return the borrowed assets after successfully extracting their original collateral from the platform.

In total, the attacker was able to steal approximately $4.8 million from DeltaPrime contracts across the Avalanche and Arbitrum blockchains. Of this, an estimated $2 million was deposited into two other yield farming protocols—LFG and Stargate—allowing the attacker to earn further rewards. Addresses used in the attack were also associated with past DeFi hacks, indicating that the hacker has experience exploiting DeFi protocols.

Lessons Learned from the Attack

Unfortunately, DeltaPrime fell prey to two of the most common threats to DeFi protocols through two hacks separated by a couple of months. The first DeltaPrime exploit demonstrated the importance of strong private key security, including the use of multi-signature and hardware wallets to secure critical private keys, such as those used to manage a project’s proxy contract.

This second incident was made possible by vulnerabilities within the project’s smart contract code. Insufficient validation of user-provided input is a common error that can allow an attacker to bypass protections or trick a contract into acting in unanticipated ways.

Failed input validation and similar smart contract issues can be identified and addressed by performing a comprehensive smart contract audit before releasing code to the blockchain. For help with securing your code and protecting against similar hacks, reach out to Halborn.