Nexo

Start Earning Up to 16% Interest Automatically

Learn More
Home » DeFi » Concentric confirms security breach, damage estimated at $1.6 million

Concentric confirms security breach, damage estimated at $1.6 million

by

With the exploiter now targeting vault approvals, ConcentricFi has urged its users to revoke all approvals and cease any interaction.

Concentric confirms security breach, damage estimated at $1.6 million

Share this article

Concentric Finance, an Arbitrum-based liquidity management protocol, has confirmed a security breach on its smart contract. 

Concentric’s confirmation of the incident was based on an initial alert from blockchain security firm CertiK, which estimated $1.6 million in damages from the breach based on its assessment of the threat actor’s wallet.

CertiK stated a follow-up on its evaluation, disclosing that the wallet 0x5A58D1a81c73Dc5f1d56bA41e413Ee5288c65d7F which was previously linked to the OKX exploit on December 13, 2023, is likely the same threat actor responsible for the security breach on Concentric.

Concentric operates an automated liquidity management platform on the Arbitrum blockchain network. The platform utilizes Camelot v3 to allocate assets algorithmically toward high-yielding investment opportunities.

One of the main features offered by Concentric is Concentric Vaults, which allow users to deposit liquidity provider (LP) tokens representing a share of funds in a liquidity pool. The protocol automatically seeks to optimize the yield earned on the deposited LP tokens.

According to the Concentric documentation, based on its yield optimization algorithm, the protocol generates yield by reallocating LP tokens among yield-bearing investment products. This allows Concentric Vaults to continuously compound returns for liquidity providers while requiring minimal input after the initial deposit.

The Camelot v3 protocol aims to maximize yields on deposited assets by automatically directing funds to the most profitable opportunities available at any given time across decentralized finance markets on Arbitrum. This system was designed to reduce the complexity of yield optimization for liquidity providers.

Concentric’s initial report on the breach revealed that the initial attack vector was social engineering. The threat actor compromised the wallet of a team member who had access to deploy contracts and make protocol upgrades. This gave the attacker that same privileged access.

Though Concentric’s vaults holding user funds were audited beforehand, they contained a vulnerability — the vault contracts were upgradeable by the deployer. The attacker used their privileged access to upgrade the vault contracts to their code, creating three ConeCamelotVault contracts.

With the upgraded vault contracts, the attacker inserted malicious code that allowed them to mint new LP tokens and drain funds from the vaults.

The root causes were the need for multisig-based admin roles and the unnecessary upgradeability of the vaults. These two issues allowed the attacker to gain and exploit full privileged access.

The protocol has since urged its users to revoke all approvals from a set of addresses.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.