Rob Behnke
September 17th, 2024
DeltaPrime Blue is a DeFi project hosted on Arbitrum that was the victim of a nearly $6 million hack in September 2024. The attackers exploited poor private key security to take over and drain the project’s vulnerable contract.
Like many DeFi projects, DeltaPrime Blue was implemented using a proxy contract. This makes it easier to upgrade the smart contracts since the proxy contract’s address can stay the same after an upgrade while the contract that it points to changes.
However, the DeltaPrime hack demonstrates the risks of this. An attacker with access to the private key of the project’s ProxyAdmin was able to perform a malicious upgrade of its proxy contract, changing it to a malicious smart contract.
Since this was considered to be an upgraded version of the proxy’s code, it has all of the same access and privileges as the original contract. This meant that the attacker was able to drain the value previously deposited within the contract.
The DeltaPrime attacker deployed five malicious proxy contracts targeting different DeltaPrime contracts. In total, they were able to drain approximately $6 million from the project’s Arbitrum contracts in various currencies that were later swapped to ETH.
The DeltaPrime hack demonstrates the importance of strong access controls and private key security, especially for upgradeable smart contracts. The use of a proxy contract can be helpful because it allows the project to more seamlessly make smart contract updates and upgrades to add features or patch vulnerabilities. However, it also opens the door for an attacker to perform a malicious upgrade if they have access to the private keys that control the upgrade process.
From a security perspective, the root cause of this incident was a failure to use multi-sig wallets and cold storage. The project’s Arbitrum contracts were likely protected only by a single private key, making it easier for the attacker to steal the key and carry out the attack. In a statement after the incident, the DeltaPrime team said that its contracts hosted on Avalanche were safe because they did have these security best practices in place.
While the project had undergone multiple audits, vulnerabilities like poor private key security can’t be detected in the code. To manage these risks, organizations also need to have robust security programs in place and implement security best practices. For help in ensuring that your project is protected against this and similar threats, get in touch with Halborn.