Concentric confirms security breach, damage estimated at $1.6 million

With the exploiter now targeting vault approvals, ConcentricFi has urged its users to revoke all approvals and cease any interaction.

Concentric confirms security breach, damage estimated at $1.6 million

Share this article

Concentric Finance, an Arbitrum-based liquidity management protocol, has confirmed a security breach on its smart contract. 

Concentric’s confirmation of the incident was based on an initial alert from blockchain security firm CertiK, which estimated $1.6 million in damages from the breach based on its assessment of the threat actor’s wallet.

CertiK stated a follow-up on its evaluation, disclosing that the wallet 0x5A58D1a81c73Dc5f1d56bA41e413Ee5288c65d7F which was previously linked to the OKX exploit on December 13, 2023, is likely the same threat actor responsible for the security breach on Concentric.

Concentric operates an automated liquidity management platform on the Arbitrum blockchain network. The platform utilizes Camelot v3 to allocate assets algorithmically toward high-yielding investment opportunities.

One of the main features offered by Concentric is Concentric Vaults, which allow users to deposit liquidity provider (LP) tokens representing a share of funds in a liquidity pool. The protocol automatically seeks to optimize the yield earned on the deposited LP tokens.

According to the Concentric documentation, based on its yield optimization algorithm, the protocol generates yield by reallocating LP tokens among yield-bearing investment products. This allows Concentric Vaults to continuously compound returns for liquidity providers while requiring minimal input after the initial deposit.

The Camelot v3 protocol aims to maximize yields on deposited assets by automatically directing funds to the most profitable opportunities available at any given time across decentralized finance markets on Arbitrum. This system was designed to reduce the complexity of yield optimization for liquidity providers.

Concentric’s initial report on the breach revealed that the initial attack vector was social engineering. The threat actor compromised the wallet of a team member who had access to deploy contracts and make protocol upgrades. This gave the attacker that same privileged access.

Though Concentric’s vaults holding user funds were audited beforehand, they contained a vulnerability — the vault contracts were upgradeable by the deployer. The attacker used their privileged access to upgrade the vault contracts to their code, creating three ConeCamelotVault contracts.

With the upgraded vault contracts, the attacker inserted malicious code that allowed them to mint new LP tokens and drain funds from the vaults.

The root causes were the need for multisig-based admin roles and the unnecessary upgradeability of the vaults. These two issues allowed the attacker to gain and exploit full privileged access.

The protocol has since urged its users to revoke all approvals from a set of addresses.

Share this article