Concentric liquidity manager exploited for $1.8M in private key hack

Exploit on Arbitrum: Concentric’s Liquidity Manager App Hacked

A recent attack on the liquidity manager app Concentric has been reported by the protocol’s official X account on Arbitrum. The attacker utilized a “social engineering attack” to gain access to the private key of the protocol’s deployer account. This allowed them to upgrade the vaults, mint new LP tokens, and drain the assets from the vaults.

To protect users, Concentric is advising them to revoke approvals from all vault addresses, as listed in the protocol’s documents.

According to a report by blockchain security platform CertiK, the attack has resulted in a loss of over $1.8 million. The attacker’s wallet is linked to the one responsible for the OKX decentralized exchange exploit on Dec. 13, suggesting that the same individual or group may be behind both attacks.

Exploitation Process and Losses

The exploiter wallet called the adminMint function on a Concentric contract, resulting in the minting of 0.001 CONE-1 tokens. They then proceeded to “burn” these tokens in exchange for funds from the AlgebraPool. This process was repeated multiple times, allowing the attacker to obtain various ERC-20 tokens, which were then swapped for Ether (ETH).

Overall, the attack highlights the vulnerability of crypto-related websites and apps, and the need for heightened security measures to fight against such exploits. Additionally, the differences between web 2.0 and web 3.0, such as blockchain technology, must be considered when developing and using these platforms.

The Rise of Web 3.0 and its Impact on Crypto Apps

The emergence of web 3.0, with its decentralized and trustless nature, sets it apart from the centralized and controlled web 2.0. This fundamental difference has significant implications for crypto apps, as they operate on the principles of decentralization and trustlessness. Popular crypto apps like Crypto.com and Reddit have already embraced web 3.0, paving the way for a more secure and transparent crypto ecosystem.

The Investigation into the Concentric Protocol Vulnerability

The Concentric team has launched an inquiry and plans to release a post-mortem report in the near future. This report will outline their strategy for addressing the vulnerability and restoring the integrity of the Concentric protocol. The team is fully dedicated to resolving the issue and ensuring the security of the protocol.

Liquidity management protocols are utilized in decentralized exchanges (DEX) to establish price limits and rebalance liquidity pools. These protocols gained popularity after Uniswap introduced its “concentrated liquidity” feature in 2021, allowing liquidity providers to set minimum and maximum prices for their assets. As a result, some users turned to management protocols to manage their assets.

On January 4, another liquidity manager, Gamma Protocol, was targeted and lost approximately $500,000 due to a smart contract vulnerability. These two attacks used different methods and do not appear to be connected.

Categorized in:

Tagged in: