Delta Prime hacker exploits token minting to steal $6 million in funds

A hacker exploited the Delta Prime decentralized finance (DeFi) protocol to steal over $6 million by minting an arbitrarily large number of deposit receipt tokens. 

According to data from block explorer Arbiscan, the attacker created over 115 duovigintillion Delta Prime USD (DPUSDC) tokens, an astronomical figure represented as 1.1*10^69 in scientific notation. 

These DPUSDC tokens are deposit receipts for the USDC (CRYPTO:USDC) stablecoin held on Delta Prime, designed to be redeemable at a 1:1 ratio.

Despite minting such a vast number of tokens, the attacker only burned 2.4 million DPUSDC, exchanging them for $2.4 million worth of USDC. 

The attacker repeated similar steps for other tokens, such as Delta Prime Wrapped Bitcoin (DPBTCb), Delta Prime Wrapped Ether (DPWETH), and Delta Prime Arbitrum (DPARB), redeeming only a small fraction to obtain over $1 million in Bitcoin (CRYPTO:BTC), Ether (CRYPTO:ETH), Arbitrum (CRYPTO:ARB), and other assets.

Blockchain security specialist Chaofan Shou estimates the total amount stolen so far to be around $6 million. 

The attacker managed to gain control by compromising an admin account, likely by stealing the developer’s private key. 

Using this access, the attacker executed an “upgrade” function on the protocol’s liquidity pool contracts. 

Instead of upgrading the software, these functions allowed the attacker to point each proxy to a malicious contract that enabled the minting of an unlimited number of deposit receipts, effectively draining the pools of funds.

Delta Prime acknowledged the breach, stating, "At 6:14 AM CET DeltaPrime Blue (Arbitrum) was attacked and drained for $5.98M." 

The protocol assured that its Avalanche (CRYPTO:AVAX) version, DeltaPrime Blue, was not affected and mentioned that insurance would cover any potential losses "where possible/necessary."