Gamma Strategies – a DeFi protocol built on the Ethereum blockchain – fell victim to an exploit, resulting in a loss of approximately $3.4 million. In response to the attack, the protocol swiftly implemented measures to prevent further losses, temporarily disabling deposits to all public DeFi vaults while keeping withdrawals active for users in need of accessing their funds.
The exploit was initially identified by blockchain investigator PeckShield on January 4, which was then confirmed by Gamma Strategies. The platform disclosed that it had identified the root cause of the incident.
Root Cause Revealed
Gamma’s vaults incorporate four primary safeguards against flash loans. These include mandating a token0 and token1 ratio in line with the pool’s ratio, setting a price change threshold to disallow deposits when the price change exceeds a specified amount, implementing deposit caps per deposit, and prohibiting single-sided deposits.
The protocol revealed that the main issue stemmed from the settings on the price change threshold, which were set too high, allowing for up to a 50-200% price change on certain LST and stablecoin vaults. This enabled the attacker to manipulate the price to the threshold and generate an unusually high number of LP tokens.
Gamma Strategies has outlined its plan of action, which includes setting all price change thresholds to a safe threshold level. It also plans to rope in a third-party code review to ensure that this attack is effectively mitigated prior to re-opening deposits.
A comprehensive post-mortem analysis will also be released soon. However, Gamma Strategies is yet to confirm if it intends on compensating its victims in addition to “maximizing recovery for all affected users.”
“One last note, is that even though deposits are closed, our rebalances and management of the positions are still active as they are not affected by the exploit.”
Another Hack in 2024
Within the first four days of 2024, the cryptocurrency market faced two security breaches.
Orbit Chain, a project facilitating cross-chain bridging, was hacked earlier this week, which led to the loss of over $80 million in assets. The attacker managed to gain access to seven out of ten multisig signers, resulting in a total loss of $81.5 million.
The majority of the stolen funds consisted of stablecoins, with $30 million in USDT, $10 million in USDC, and $10 million in DAI. Additionally, approximately 231 WBTC ($10 million) and 9,500 ETH ($21.5 million) were also compromised.