Leveraged farming project-DeltaPrime was hacked on Arbitrum and Avalanche.
It has “swapDebtParaSwap” function for leverage. It is possible to borrow much more assets than collateral using this function. Hacker exchanged all borrowed tokens to collateral tokens in this function.
Also it has “claimReward” function for getting reward, but it doesn’t check parameter validity.
Hacker was able to provide self made contract as pair parameter.
In “claim” function of exploit contract, all collateral tokens are exchanged into reward tokens, then they are transferred to hacker.
Hacker drained several Arbitrum and Avalanche pools. Total loss is over $4M.
Leave a Reply