The liquidity manager app Concentric has fallen victim to private key exploitation on the Arbitrum network. According to the post on their official X account, the protocol confirmed the incident, revealing that the security breach resulted from a targeted social engineering attack on one of its team members with access to the deployer wallet. This incident resulted in unauthorized access and subsequent exploitation of the protocol.
According to a report from the blockchain security firm CertiK, the attack has resulted in a loss exceeding $1.6 million. Also, the attacking wallet has been linked to the one involved in the OKX decentralized exchange exploit on December 13, suggesting a potential connection between the two incidents.
We have seen an exploit on @ConcentricFi on Arbitrum
Exploiter wallet is linked to the OKX Exploiter
Initial losses look to be around ~$1.6mhttps://t.co/t9liWxo3jz
— CertiK Alert (@CertiKAlert) January 22, 2024
The attack vector was initiated through a sophisticated social engineering attack, compromising the deployer wallet—a critical component of the Concentric Protocol’s infrastructure. Despite having audited vaults, the protocol was vulnerable as these vaults were upgradable. The attacker leveraged this feature to upgrade the vaults, mint new LP tokens, and drain their assets’ vaults.
In the attack on Concentric, the exploiter wallet utilized the adminMint function on a Concentric contract, minting CONE-1 tokens and then calling “burn” to redeem these tokens for funds from the AlgebraPool. This process was repeated multiple times, allowing the attacker to obtain various ERC-20 tokens swapped for Ether.
Concentric Launches Investigation with Security Researchers After Breach, Promises Post-Mortem Report and Remediation Plan
Concentric’s team has initiated an investigation and enlisted security researchers to help analyze the incident, identify the exploiters, and implement measures to prevent future occurrences. The protocol pledged to provide a post-mortem report outlining the vulnerability and a plan to address it.
Exploiter is now targeting approvals on vaults, please revoke all approvals to these addresses:https://t.co/3vTEWu23BJ https://t.co/KlZo5PqjlI
— Concentric.fi (@ConcentricFi) January 22, 2024
Furthermore, Concentric aims to maintain transparency and keep the community informed and engaged in the recovery process by offering this detailed report. The team is committed to resolving the issue and restoring the integrity of the Concentric Protocol on Arbitrum. Users are advised to stay informed about updates from Concentric regarding the incident and its resolution.
“We sincerely apologize for the inconvenience and distress this incident has caused. Our team is fully committed to resolving this issue, implementing enhanced security measures, and restoring the integrity of the Concentric protocol. We appreciate your support and understanding during this difficult time.”
Also, Concentric has urged its users to revoke approvals from all vault addresses, providing a list in the protocol’s documents to facilitate this process.
Security Breaches Continue to Plague Liquidity Protocols; ConcentricFi and Gamma Strategies Among Latest Victims
This year has witnessed security breaches targeting liquidity protocols, with Concentric being the latest victim of an attack on the Arbitrum network.
Earlier this year, Gamma Strategies, another liquidity protocol, experienced an attack resulting in a $3.4 million loss. This breach was attributed to smart contract vulnerabilities related to inconsistencies in accounting mechanisms for depositing and withdrawing funds. Attackers exploited this vulnerability to withdraw many tokens, although Gamma Strategies’ vaults are designed to guard against flash loans.
The attack on Gamma Strategies utilized a different method, and there is no apparent connection between the two incidents.
Liquidity management protocols have gained popularity for decentralized exchanges (DEX) since Uniswap introduced its “concentrated liquidity” feature in 2021. This feature allows liquidity providers to set minimum and maximum prices for their assets in DEX pools, making liquidity provision more complex. Users turned to management protocols to handle their assets, contributing to the increased adoption of these protocols.