Atlantis Loans was a lending platform based on BNB Chain that was abandoned in April 2023 due to financial difficulties. However, its smart contracts remain active on the blockchain and were exploited in a June 2023 governance attack for an estimated $1 million.
Inside the Attack
Atlantis Loans used a decentralized governance system where users could create proposals and vote on them. A proposal that received enough votes would be enacted.
The governance attack began with a malicious proposal that granted the attackers control over the project’s contract. Since the project was abandoned and received little attention, the attackers were able to vote for the proposal and push it through.
With control over the contract, the attackers were able to update the contract and insert backdoored code that would allow them to steal user funds. Any users who had granted approvals for the contract — and not revoked them since — could have funds extracted from their wallets. In total, the attacker managed to extract an estimated $1 million from the wallets of Atlantis Loan users with active approvals.
Lessons Learned From the Attack
The Atlantis Loans hack demonstrates the potential risks of active approvals and decentralized governance for DeFi protocols. Smart contracts running on the blockchain can remain active after being abandoned, and decentralized governance mechanisms can be abused by attackers if legitimate users are not paying attention and voting against malicious proposals. To learn more about best practices for secure DeFi governance, check out our blog.