TL;DR#
On August 7, 2023, Steadefi was exploited on the Arbitrum and Avalanche chains, which resulted in a loss of assets worth approximately $1.14 million.
Introduction to Steadefi#
Steadefi is the DeFi protocol designed to provide the highest and most sustainable real yields to investors without the stress of constant position management or the prolonged downturns of the crypto markets.
Vulnerability Assessment#
The root cause of the exploit is due to the compromise of the private keys.
Steps#
Step 1:
According to the team, their protocol deployer wallet was compromised. This wallet address was also the owner of all vaults in the protocol.
Step 2:
The exploiter then transferred ownership of the vaults in succession, including lending and strategy, to a wallet they controlled and went on to take various owner-only actions, such as allowing any wallet to borrow any available funds from the lending vaults.
Step 3:
The exploiter first approved themselves as borrowers on Arbitrum and then on Avalanche, then proceeded to borrow tokens from these chains subsequently. This process was repeated multiple times.
Step 4:
The attacker then drained all available lending capacity on both the Arbitrum and the Avalanche chains, swapped the stolen assets to ETH, and then bridged them to Ethereum.
Step 5:
At the time of writing, the attacker is in control of all the stolen money at this address.
Aftermath#
Following the incident, the team acknowledged the occurrence of the exploit and stated that they had sent an on-chain message to the attacker’s wallet address for a possible negotiation.
The TVL of the project dropped from $2.03 million to $669,000 following the exploit.
Solution#
In the light of the Steadefi exploit on the Arbitrum and Avalanche chains, one can't help but recognize the urgent need for a comprehensive security strategy that addresses the unique risks associated with decentralized finance. We see that certain practices could have significantly mitigated the risk, but the real solution lies in combining the traditional security measures with the novel approach of solutions, specifically through Neptune Mutual.
Using hardware wallets to store private keys offline is one of the strong lines of defense. Implementing a multi-signature mechanism for critical contract modifications could spread the power of changes over multiple trusted parties, significantly lowering the risk of exploitation. Cold storage, the practice of storing private keys on a machine not connected to the internet, is another recommended tactic to ward off such attacks.
Nevertheless, it's important to acknowledge that even with the most stringent security measures in place, vulnerabilities may still be exploited. This is where Neptune Mutual comes into the picture. In the event of such security incidents, having a dedicated cover pool set up with Neptune Mutual could have significantly reduced the aftermath of the attack on the Steadefi. Neptune Mutual offers coverage to users who suffer losses of funds or digital assets due to smart contract vulnerabilities, thanks to their parametric policies.
Our marketplace operates on numerous popular blockchain networks, including Ethereum, Arbitrum, and the BNB chain. This extensive reach allows us to serve a broad spectrum of DeFi users, offering protection from potential vulnerabilities and enhancing their faith in the ecosystem.
Reference Source Steadefi
