The decentralized finance (DeFi) sector faced another significant setback as the lending platform and stablecoin issuer Seneca Protocol reported a security breach. On February 28, a statement issued on the protocol’s official X account confirmed the exploit, with blockchain analytics firm CertiK estimating the losses at a staggering $6.4 million so far. In response, the Seneca team has advised users to revoke approvals for the affected contracts while their staff, in collaboration with security specialists, delve into the investigation of the bug.
Seneca Protocol, a prominent DeFi lending application, enables users to deposit various cryptocurrencies as collateral to mint and borrow its native stablecoin, SenecaUSD. However, the security of its system was compromised when an account, identified by its suffix 42DC, illicitly transferred approximately 1,385.23 Pendleton Kelp restaked Ether (PT Kelp rsETH) from a Seneca collateral pool. This was achieved by exploiting the “performOperations” function, allowing the assailant to convert these tokens into roughly $4 million worth of Ether (ETH) through three separate transactions. The attacker didn’t stop there; an additional 717.04 ETH derivative tokens were also siphoned from various collateral pools and converted into ETH.
CertiK’s investigation highlighted the exploit’s technical details, revealing a critical flaw in the “performOperations” function that enabled unauthorized transfers. This vulnerability allowed the attacker to execute external calls with complete control over the callee and callData, facilitating the unauthorized drainage of funds from the collateral pool.
The breach has raised alarms across the DeFi community, with blockchain investigator Spreek and security researcher ddimitrov22 pointing out the critical vulnerabilities and additional flaws in Seneca’s system that prevent the effective pausing of contracts. The development team’s acknowledgment of the attack and their commitment to providing updates have done little to quell the growing concerns over security in the DeFi space.
This incident is part of a troubling trend of security breaches within the DeFi and broader Web3 ecosystems, exemplified by recent hacks affecting prominent figures and platforms, including a $9.7 million loss by Axie Infinity co-founder Jeff “Jihoz” Zirlin and a 457 ETH exploit on DeFi protocol Blueberry. As the DeFi sector continues to evolve, these security breaches underscore the critical need for enhanced protective measures to safeguard users’ assets against increasingly sophisticated threats.
 sector faced another significant setback as the lending platform and stablecoin issuer Seneca Protocol){kind=link}