The first week of December 2024 delivered a stark reminder of the persistent risks in the cryptocurrency ecosystem, as three significant exploits targeting smart contract vulnerabilities resulted in nearly $1.2M stolen.

As a smart contract auditing firm that has analyzed countless vulnerabilities, we recognize these incidents as valuable case studies that highlight the critical importance of robust security measures.

Through a detailed examination of these recent crypto hacks, we aim to provide insights that can help projects better protect their smart contracts and users' assets.

VestraDAO $500k Exploit on Ethereum Mainnet

There was a vulnerability in the locked staking contract of VestraDAO, which allowed the attacker to manipulate the reward mechanism. He claimed excessive rewards and sold them on Uniswap 🦄 Only a small fraction of protocol funds were affected, however this hiccup managed to shake the protocol's value and reduce it by 50%.

The vulnerability? A logical flaw in the staking contract. The attacker had been a staker in Vestra for over a month, carefully analyzing the vulnerability and devising his strategy.

As a result, the token plunged 50% and funds at risk were frozen. The team reacted quickly and is working to reallocate locked funds to their rightful owners.

Clipper DEX lost $460K in exploit on Optimism & Base

On December 1st, an attacker exploited a vulnerability in Clipper DEX's single-asset deposit and withdraw function.

The attack vector was the following:

The deposit and withdraw feature is designed to allow users to deposit or withdraw using only one token rather than requiring all pool assets. The attacker exploited this by targeting low-liquidity pools, executing state-changing swaps in between obtaining the deposit signature and finalizing the transaction. This manipulation of the pool's balance enabled them to extract unauthorized profits.

The total value of funds compromised was approximately $457,878.

Core reason for this exploit was that Clipper had not implemented protections to prevent malicious trades on single-asset deposits/withdrawals, because of an additional fee that mitigated arbitrage in the past.

For more information on the exploit step-by-step, read their postmortem.

Spectral Syntax V2's $200k Exploit on the Base Chain

Infinite approvals strike again! Again on December 1st, autonomous onchain agents network Spectral was exploited.

In Spectral's architecture, AgentToken.sol contracts have a built-in tax mechanism that ensures whenever an AgentToken.sol transferred to a smart contract, a tax is applied, half of which is sent to the AgentBalances.sol contract. This tax function had a hidden vulnerability later exploited by the attacker.

An unintended infinite approval in the AgentToken.sol contract between the AgentBalances.sol and AutonomousAgentDeployer.sol, upon transferFrom function.

"This approval unintentionally gave AgentBalances.sol unlimited access to spend AgentToken.sol from the AutonomousAgentDeployer.sol. Our version of the deposit function was generic to allow agent creators the option to send funds to their agent’s trading wallet and support its operations, however, the infinite approval was an oversight in this implementation, enabling anyone to send tokens (used to calculate the price of an AgentToken in our internal pools) into AgentBalances.sol." - as stated in their postmortem.

Prevention and Mitigation

These December exploits underscore critical vulnerabilities that continue to hit DeFi protocols. While infinite token approvals are convenient, they represent a significant security risk that can be mitigated through time-bound or amount-limited approvals. Pool manipulation attacks on low-TVL pools remain prevalent, highlighting the need to implement protections against malicious trades.

To defend against these attack vectors, protocols should implement comprehensive security measures focusing on proper validation of user inputs. Most crucially, staking contracts require thorough testing of reward distribution logic and fallback mechanisms. For single-asset deposits and withdrawals, we strongly recommend implementing circuit breakers and value-based limits.

Smart contract security is not a one-time effort but an ongoing process. As more DeFi protocols emerge, and more people get on board the DeFi ship, the importance of professional security reviews and battle-tested contracts has never been higher.

Let's build a safer Web3 together, one properly audited protocol at a time. In this space, your security is only as strong as your weakest link. Reach out to us and book your protocol's security review.

STAY SAFU
Audita's Team