The stablecoin protocol Seneca offered a 20% reward to a hacker who accessed at least $6.4 million in crypto assets after exploiting a validation mechanism error in the protocol’s smart contract. On February 28, multiple blockchain security firms pointed out the vulnerability in the stablecoin protocol. Companies like CertiK alerted users about the hack, calling for the revocation of confirmations from an address on the Ethereum and Arbitrum networks.
The Hack Attack on Seneca
Initial estimates of the losses from the hack were $3 million, but it was later discovered that over 1,900 Ethereum, valued at approximately $6.4 million, were taken in the attack. Security analysts at CertiK explained that the attack occurred due to a critical call vulnerability in the protocol’s smart contract. This vulnerability allowed the attacker to make external calls to any address.
In addition, the project’s contracts did not have code that would allow the team to pause operations. Therefore, users need to cancel their permissions. The Seneca team said they are working with experts to investigate what happened. They also offered a reward of $1.2 million for the return of the stolen funds to the hacker.
Significant Move from the Seneca Team
Seneca, in a message published on the ecosystem on February 29, asked the hacker to return 80% of the stolen funds to an Ethereum address and allowed the hacker to keep 20% of the crypto assets they seized. In the message, the Seneca team stated they were collaborating with security providers and law enforcement to track the funds. They called on the hacker to return the funds to avoid legal consequences and included the following statement:
“Immediate action is very important, so we kindly request you to return the funds as soon as possible to avoid further legal proceedings.”
Hours after Seneca’s message, the hacker returned approximately 1,537 Ethereum, valued at around $5.3 million, to the wallet address specified by Seneca. The hacker kept about 300 Ethereum, worth approximately $1 million, accepting the 20% reward offered by Seneca. The hacker then transferred the Ethereum assets they had seized to two different addresses.
