Prisma Finance Hack - March 2024 ($11.6M)
Exploit Overview
On March 28th, 2024, at 11:25 UTC, an exploiter made a transaction in the
MigrateTroveZap contract, resulting in a total transfer of around 3,257 ETH (approximately $11.6 million).The Vulnerability
Prisma Finance was exploited for over $11.6M through a vulnerability in its MigrateTroveZap contract, code designed to help users migrate troves during a system upgrade. The vulnerability stemmed from inadequate input validation in both versions of the MigrateTroveZap contract (mkUSD and ULTRA). This contract, designed to facilitate the migration of user positions between trove managers, inadvertently allowed malicious actors to manipulate its behavior.
Technical Attack Details
Because the callback function
onFlashLoan() blindly trusted the calldata and lacked origin validation, attackers were able to spoof migration logic, hijack troves, and extract collateral. The exploiter proceeded to open a small Trove with one wstETH collateral and 2,000 mkUSD debt. They migrated the position using MigrateTroveZap and reopened a Trove that inherits the remainder of the wstETH in the contract. The reopened Trove had 1,282.79 wstETH collateral and 2,001.8 mkUSD debt.Financial Impact
The primary culprit, EOA
0x7E39E3B3ff7ADef2613d5Cc49558EAB74B9a4202, was responsible for the majority of the stolen funds, amounting to around $11.6 million. Prisma Finance's total value locked dropped from about $220 million to $115 million.Attacker's Claims
The hacker behind the $11.6 million exploit is claiming it was a "whitehat rescue" and is enquiring about returning the funds, according to on-chain messages. This entity dispersed stolen funds to three wallets, one of which sent an on-chain message to the Prisma Finance deployer purporting to be a white-hat actor. Despite transferring 1,850 ETH (~$6.5m) to Tornado Cash, another on-chain message indicated an intention to relocate funds to a more secure location.
Sources