Exactly

Exactly Protocol Hack - August 2023

The Hack

Exactly Protocol became the latest victim of an exploitation on August 18th, 2023, resulting in a substantial loss of funds. The total stolen amount was approximately $7.2 million (4,323.6 ETH).

Technical Details

The attacker was able to bypass the permit check on the protocol's DebtManager periphery contract by providing it with the address of a fake, malicious market contract. After getting this malicious contract in place, the attacker executed a malicious deposit function that provided access to the funds that users had deposited into the protocol's contracts.

Fund Movement

The hackers then bridged 1,490 ETH using the Across Protocol and 2,832.92 ETH to the Ethereum network via Optimism Bridge.

Impact

The breach had a significant impact on Exactly Protocol's total value locked (TVL), causing it to plummet from $37 million to $11.74 million following the incident, representing a substantial decline of nearly 70%. According to Exactly, the protocol was temporarily paused as the issue was investigated, though investors were still able to withdraw funds.

Sources

• https://www.halborn.com/blog/post/explained-the-exactly-protocol-hack-august-2023

• https://decrypt.co/152966/defi-lender-optimism-exactly-suffers-7-million-hack

• https://www.theblock.co/post/246196/exactly-protocol-exploited-7-million-optimism-layer-2-network

• https://cryptopotato.com/optimism-based-exactly-protocol-hacked-over-12m-in-ether-drained/

• https://cointelegraph.com/news/defi-protocols-exactly-harbor-hacked-separate-attacks