Decentralized finance protocol Steadefi recently announced a 10% bounty for the exploiter responsible for the hack that cost it over a million dollars. The hack reportedly occurred late on August 7 after the DeFi application’s protocol deployer wallet was compromised.
The Steadefi team took to Twitter earlier today to share the exploit’s latest update with its community:
UPDATE NOTICE:
— Steadefi 🔺💙🔶 (@steadefi) August 8, 2023
A 2nd on-chain message has been sent with the corrected contact email address:
SteadefiNegotiation@protonmail.me
NOTICE: Steadefi has been exploited and all funds are currently at risk. https://t.co/fGQElnWvus
The message and offer from the 1st message still…
According to an on-chain message left by the Steadefi team for the hacker/hackers behind the exploit, a 10% bounty was offered if the remaining funds were promptly returned to the DeFi protocol by August 10 at 08:00 UTC. In the event that the exploiter refuses to comply, the bounty would be extended to the public, and legal actions would be initiated against the perpetrators.
In a warning to the hacker, the Steadefi team stated:
We are offering a 10% bounty of any funds stolen, which are yours to keep if you return the remaining 90%. You will have no risk of us pursuing this further, no risk of law enforcement issues, etc.
An analysis of the exploit shared by Steadefi revealed that the hacker took control of the DeFi protocol’s deployer wallet, which owned all its vaults. The hacker then transferred ownership of the lending and strategy vaults to a wallet controlled by them and initiated several owner-only actions, including maximizing borrowing from the app’s lending vaults.
The hacker drained all available lending capacity on Arbitrum and Avalanche and swapped the borrowed funds to ETH, and then switched networks by bridging them to Ethereum. According to Steadefi, the depositor wallets were not drained by the hacker, given that the owner-only functions did not extend to the withdrawal of customer deposits.
Users on Twitter were suspicious of the events surrounding the hack and demanded more information from the Steadefi team. Some members of the Steadefi community speculated that the exploit may have been an inside job aka a rug pull by a core developer.