📣 Prisma Finance Identifies an $11.6 Million Flaw

posted  1 Apr 2024
Photo - Prisma Finance Identifies an $11.6 Million Flaw
The lending protocol Prisma Finance was compromised due to vulnerabilities in two MigrateTroveZap smart contracts, enabling the theft of funds secured as loan collateral.

MigrateTroveZap smart contracts facilitate the migration of users' debt positions to new TroveManager contracts. Normally, MigrateTroveZap would swiftly close an old loan and establish a new one with the same debt and collateral levels.

However, hackers manipulated the MigrateTroveZap by issuing specialized requests, compelling the contract to settle existing loans and open new ones with lesser collateral. The perpetrators pocketed the difference.

Prisma tracked down three accounts involved in this scheme, with one managing to steal about 3,257 ETH, and the other two securing 121 and 52 wstETH, cumulatively leading to an $11.6 million loss.

Immediately upon detecting this flaw, the team suspended the protocol's operations.

Currently, $540,000 in user funds remain at risk, pending the withdrawal of the respective permissions.