Seneca Protocol saw a significant security breach, resulting in a dramatic 65% drop in the value of its native SEN token.
According to CertiKthe attacker initially exploited a vulnerability in the protocol to steal approximately $3 million worth of digital assets. The attacker transferred 1,000 ETH to two external accounts (EOAs), increasing the estimated loss to approximately $6.4 million.
https://twitter.com/CertiKAlert/status/1762871285036511328
The core of the vulnerability was in a function within the Seneca Protocol smart contract code called ‘performOperations’. This feature, which was accessible by external calls, meaning anyone could activate it, lacked proper validation for the input received.
The lack of input validation is a significant security oversight in smart contract development.
The attacker engineered specific data sent to this function and triggered a condition that allowed the hacker to call any other contract on the blockchain with arbitrary data. This highly dangerous capability gives the attacker a free hand to communicate with other contracts disguised as vulnerable contracts. The attacker then transferred assets from addresses previously authorized for the now vulnerable contracts.
Seneca (SEN) works as an omnichain Collateral Debt Position protocol for yield-bearing assets. Using supported collateral assets, users can borrow the collateralized stablecoin, senUSD. The SEN token has several utilities including governance, trading tax redistribution, and protocol fee redistribution through staking.
