In August 2023, Steadefi — a leveraged yield aggregation platform — was the victim of an attack. The attacker gained access to the private keys used to manage the project’s deployed contract, resulting in about $1.1 million in losses.
Inside the Attack
The Steadefi hack began with the attacker gaining access to the private key of the protocol’s deployer wallet. This account was the owner of all of the project’s smart contracts, enabling it to access privileged functionality limited to the owner.
With access to owner-only functionality, the attacker was able to transfer ownership of the smart contracts to their own accounts. They then took advantage of other privileged functions to lend out all funds in the contract’s lending vaults to their own accounts, draining $1.1 million from the protocol.
The protocol’s depositor and strategy vaults lacked the same privileged function, so funds stored there are safe. The attacker was also able to pause certain contracts, trapping funds inside.
After the attack was discovered, the Steadefi team offered a bug bounty to the attacker for the return of funds. This included a promise not to pursue legal action if the attacker accepted the deal before 0800 UTC on August 10, 2023.
Lessons Learned from the Attack
The Steadefi hack was made possible by a stolen private key. Using this key and the privileges assigned to it, the attacker was able to drain assets from the project’s lending vaults.
These types of security incidents can be avoided with a more decentralized approach to governance, such as a multi-signature wallet. To learn more about the security risks of centralization, check out our blog on How Centralization Enables Smart Contract Hacks and Scams.