The protocol managing liquidity on the Ethereum blockchain, Gamma Strategies, has initiated a bounty negotiation with the attacker responsible for stealing $3.4 million worth of digital assets.
The attack was discovered by blockchain defense company PeckShield on January 4th, with initial estimates indicating losses of $469,000. However, further analysis confirmed the total loss to be $3.4 million, with $2.2 million already sent to Tornado Cash, a cryptocurrency mixer.
In response to the attack, Gamma shut down its vault deposits, allowing only withdrawals. The protocol has also initiated communication with the attacker’s wallet address, expressing a willingness to negotiate a bounty for the return of the stolen crypto assets.
Gamma has attempted to contact the exploiter via Etherscan and Arbiscan to negotiate the return of funds.https://t.co/5WZ1z3F7jEhttps://t.co/kOi5ntdeT0
— Gamma (@GammaStrategies) January 4, 2024
Gamma Strategies stated that it had identified the root cause of the attack and assured the community that shutting down deposits for public-facing vaults nullified the attack vector.
One last note, is that even though deposits are closed, our rebalances and management of the positions are still active as they are not affected by the exploit.
— Gamma (@GammaStrategies) January 4, 2024
The security breach was attributed to inconsistencies in the accounting mechanisms for depositing and withdrawing funds, leading to a misalignment between liquidity and shares. Attackers exploited this vulnerability to withdraw a significant number of tokens, although Gamma Strategies’ vaults are designed to guard against flash loans.
Notably, Gamma’s vaults are built on a robust framework with multiple layers of protection against flash loans. These layers include a mandated ratio of token0 and token1, a price change threshold, deposit caps per deposit, and a prohibition on single-sided deposits
The identified issue primarily revolves around the second protection layer—the price change threshold. This threshold was set at a level that allowed for a substantial price change, enabling attackers to manipulate the price and mint an unusually high number of LP tokens. The company has reassured the community that the other layers of security, including mandated token ratios, deposit caps, and restrictions on single-sided deposits, remain intact.
Gamma Strategies is committed to a full recovery for affected users and will provide a detailed post-mortem analysis of the incident and a proposed resolution plan to prevent future security breaches.
Gamma Strategies Addresses Security Breach, Plans Detailed Post-Mortem Analysis and Remediation Plan
Gamma Strategies has taken swift action in response to a security breach, outlining a series of measures to address the incident and enhance security protocols. The company has committed to setting all price change thresholds to a safe level, engaging a third-party service for a code review to contain the breach, and resuming deposits only after ensuring robust security measures are in place.
In addition to these immediate steps, Gamma Strategies has expressed its dedication to achieving a full recovery for affected users. The company has issued an apology for the losses incurred by users and pledged to provide a detailed post-mortem analysis of the incident. This analysis will be accompanied by a comprehensive resolution plan aimed at preventing future security breaches and ensuring the safety of user assets.
The firm apologized to those affected by this attack and said they would do everything in their power to recover funds and mitigate this risk in the future. They also promised to release a more detailed post-mortem analysis and a proposed remediation plan in the coming days.
The Gamma Protocol exploit contributes to the growing number of security breaches in the cryptocurrency sector. In 2023, the industry experienced losses approaching $1.8 billion, with significant incidents concentrated in the latter half of the year.
The year witnessed several high-profile hacking incidents, impacting prominent entities such as Multichain, Euler Finance, Mixin Network, and Atomic Wallet.
Throughout the year, the North Korean hacking group Lazarus was implicated in multiple attacks, collectively resulting in losses exceeding $300 million.