In August 2023, the Exactly Protocol — a DeFI project based on the Optimism blockchain — was the victim of an attack. The attacker exploited a vulnerability in the protocol’s contracts to steal over $7 million from the project.
Inside the Attack
The Exactly Protocol hack is an example of a hack enabled by weak validation checks. The attacker was able to bypass the permit check on the protocol’s DebtManager periphery contract by providing it with the address of a fake, malicious market contract.
After getting this malicious contract in place, the attacker executed a malicious deposit function that provided access to the funds that users had deposited into the protocol’s contracts. In total, the attacker was able to steal approximately $7.3 million in ETH from the project.
Lessons Learned from the Attack
The Exactly Protocol hacker exploited a loophole in the protocol’s security checks. By identifying and exploiting this loophole, the attacker was able to deploy a malicious contract that drained the protocol’s funds. Unfortunately, the vulnerability exploited by the attacker was not discovered before launch despite the project’s numerous smart contract audits.