DeltaPrime Incident Analysis
Contents
DeltaPrime Incident Analysis
2024. 11. 11.
Twitter Logo
Telegram Logo
Reddit Logo
Reddit Logo
DeltaPrime Incident Analysis
Incident Summary
On 11 November 2024, DeltaPrime was exploited for ~$4.8M across Arbitrum and Avalanche network.
image
The attack combined two vulnerabilities. The first one is an unchecked input allowing the attacker to move borrowed token to another arbitrary address. The second one also involves arbitrary address input that can be exploited by leveraging the claim mechanism to withdraw the collateral.
Key Transactions
First ARB attack: https://arbiscan.io/tx/0x9efe855cd3783462207ff8a3d94dc17a74e2b2f00bf1b4c8a7e0135dae83ab5c
First AVAX attack : https://snowtrace.io/tx/0xece4efbe11e59d457cb1359ebdc4efdffdd310f0a82440be03591f2e27d2b59e?chainid=43114
Attack Flow and Vulnerability
Addresses
Exploiter:
ARB:
0xb87881637b5c8e6885C51aB7D895e53FA7d7c567
0x56e7f67211683857EE31a1220827cac5cdaa634C
0x101723dEf8695f5bb8D5d4AA70869c10b5Ff6340
AVAX:
0xd3d535141831F6Bd8B7DF92E2AE0463D60Af2413
0xd5381c683191EB0999a51567274abAB73a9Df0AD
Step by Step
The following analysis is based on Arbitrum txn 0x9efe855cd3783462207ff8a3d94dc17a74e2b2f00bf1b4c8a7e0135dae83ab5c.
deltaprime2
The attacker flash loaned 59.9 ETH and supplied it to Delta Prime then borrowed 1.18 WBTC.
Through the swap adapter, the attacker transferred the WBTC to another attack contract they had created at address 0x52ee. After the transfer, the _repayAmount remained unchanged at 0. At this point, the attacker had obtained 1.12 WBTC, while their collateral (59.9 ETH) remained in contract 0x647b.
deltaprime3
Using the …
2024. 11. 11.
Twitter Logo
Telegram Logo
Reddit Logo
Reddit Logo
DeltaPrime Incident Analysis
Incident Summary
On 11 November 2024, DeltaPrime was exploited for ~$4.8M across Arbitrum and Avalanche network.
image
The attack combined two vulnerabilities. The first one is an unchecked input allowing the attacker to move borrowed token to another arbitrary address. The second one also involves arbitrary address input that can be exploited by leveraging the claim mechanism to withdraw the collateral.
Key Transactions
First ARB attack: https://arbiscan.io/tx/0x9efe855cd3783462207ff8a3d94dc17a74e2b2f00bf1b4c8a7e0135dae83ab5c
First AVAX attack : https://snowtrace.io/tx/0xece4efbe11e59d457cb1359ebdc4efdffdd310f0a82440be03591f2e27d2b59e?chainid=43114
Attack Flow and Vulnerability
Addresses
Exploiter:
ARB:
0xb87881637b5c8e6885C51aB7D895e53FA7d7c567
0x56e7f67211683857EE31a1220827cac5cdaa634C
0x101723dEf8695f5bb8D5d4AA70869c10b5Ff6340
AVAX:
0xd3d535141831F6Bd8B7DF92E2AE0463D60Af2413
0xd5381c683191EB0999a51567274abAB73a9Df0AD
Step by Step
The following analysis is based on Arbitrum txn 0x9efe855cd3783462207ff8a3d94dc17a74e2b2f00bf1b4c8a7e0135dae83ab5c.
deltaprime2
The attacker flash loaned 59.9 ETH and supplied it to Delta Prime then borrowed 1.18 WBTC.
Through the swap adapter, the attacker transferred the WBTC to another attack contract they had created at address 0x52ee. After the transfer, the _repayAmount remained unchanged at 0. At this point, the attacker had obtained 1.12 WBTC, while their collateral (59.9 ETH) remained in contract 0x647b.
deltaprime3
Using the …