Lending protocol Delta Prime suffers second exploit in two months, bringing losses above $10 million

From theblock by Daniel Kuhn

Blockchain-based borrow and lending platform Delta Prime has suffered its second exploit in two months, according to multiple crypto security and research firms. According to the latest estimates, nearly $5 million worth of crypto assets have been drained from Delta implementations on Layer 1 blockchain Avalanche  AVAX +17.48%

The news comes shortly after Delta Prime experienced a roughly  $6 million attack  in mid-September — when one of the protocol’s administrators lost control of its private keys — bringing the protocol's losses above $10 million. That particular attack only affected Delta’s deployment on Arbitrum.

“DeltaPrime is currently paused due to an attack on the Saving pools,” the company wrote Monday on its website, with a  link  to its Discord.

"With the protocol being paused on both chains, the risk is contained. We will provide updates asap," the firm wrote in a post on X at 4:04 a.m. EST.

Crypto security firm Fuzzland told The Block that about five hours ago, an unidentified hacker exploited a “code logic error” that allowed them to drain funds from Delta Prime’s ​​“claimRewards” contract used to pay out tokens to platform users.

“The victim contract failed to check one of the addresses involved inside ‘claimRewards.’ The attacker can pass in a custom contract address that controls how much reward will be sent by the victim,” Fuzzland researcher publicqi said in a direct message.

Publicqi noted the two attacks do not appear connected as one relied on a stolen private key while the recent event used a publicly accessible bug that theoretically anyone could have found and exploited.

“For DeFi protocols that’s directly related to funds/have TVLs, they should be extremely careful and serious about the code, especially parts where transfer is possible. And an audit is not a 100% guarantee that a protocol is safe,” publicqi said.

According to DeFi syndicate  yieldsandmore , the alleged attacker appears to be a DeFi power user and “experienced serial exploiter” who was involved in an  attack  as recently as June. The attacker appears to have reinvested a portion of the stolen funds in wrapped bitcoin on Arbitrum, according to  onchain data .

The vast majority of the stolen funds were taken from the Avalanche deployment of Delta Prime. The PRIME token has an over $51 million fully diluted valuation. The protocol’s total value locked stands around $32 million, down from a peak above $70 million prior to the exploit in September.