ConcentricFi confirms security breach, damage estimated at $1.6 million
Share this article
ConcentricFi, an Arbitrum-based liquidity management protocol, has confirmed a security breach on its smart contract.
We regret to inform you that our protocol has suffered a severe security breach due to a targeted social engineering attack on one of our team members holding the deployer wallet. This unfortunate incident led to unauthorized access and subsequent exploitation of our protocol.…
— Concentric.fi (@ConcentricFi) January 22, 2024
ConcentricFi’s confirmation of the incident was based on an initial alert from blockchain security firm CertiK, which estimated $1.6 million in damages from the breach based on its assessment of the threat actor’s wallet.
CertiK stated a follow-up on its evaluation, disclosing that the wallet 0x5A58D1a81c73Dc5f1d56bA41e413Ee5288c65d7F which was previously linked to the OKX exploit on December 13, 2023, is likely the same threat actor responsible for the security breach on ConcentricFi.
ConcentricFi operates an automated liquidity management platform on the Arbitrum blockchain network. The platform utilizes Camelot v3 to allocate assets algorithmically toward high-yielding investment opportunities.
One of the main features offered by ConcentricFi is Concentric Vaults, which allow users to deposit liquidity provider (LP) tokens representing a share of funds in a liquidity pool. The protocol automatically seeks to optimize the yield earned on the deposited LP tokens.
According to the ConcentricFi documentation, based on its yield optimization algorithm, the protocol generates yield by reallocating LP tokens among yield-bearing investment products. This allows Concentric Vaults to continuously compound returns for liquidity providers while requiring minimal input after the initial deposit.
The Camelot v3 protocol aims to maximize yields on deposited assets by automatically directing funds to the most profitable opportunities available at any given time across decentralized finance markets on Arbitrum. This system was designed to reduce the complexity of yield optimization for liquidity providers.
ConcentricFi’s initial report on the breach revealed that the initial attack vector was social engineering. The threat actor compromised the wallet of a team member who had access to deploy contracts and make protocol upgrades. This gave the attacker that same privileged access.
Though ConcentricFi’s vaults holding user funds were audited beforehand, they contained a vulnerability — the vault contracts were upgradeable by the deployer. The attacker used their privileged access to upgrade the vault contracts to their code, creating three ConeCamelotVault contracts.
With the upgraded vault contracts, the attacker inserted malicious code that allowed them to mint new LP tokens and drain funds from the vaults.
The root causes were the need for multisig-based admin roles and the unnecessary upgradeability of the vaults. These two issues allowed the attacker to gain and exploit full privileged access.
The protocol has since urged its users to revoke all approvals from a set of addresses.
Exploiter is now targeting approvals on vaults, please revoke all approvals to these addresses:
— Concentric.fi (@ConcentricFi) January 22, 2024
