DeFi Hack on Exactly Protocol Shows the Sector’s Challenges

The DeFi sector didn’t need more trouble in the summer of ‘23, but got it anyway. Hard on the heels of July’s Curve Finance exploit that revealed flaws in the widely used Vyper programming language, another attack unfolded in August that raises questions about the trustworthiness of DeFi platforms.

The newly introduced Exactly Protocol was hacked for roughly $7 million in ETH on Aug. 18. To understand what happened, let’s walk through how attackers made off with crypto from Exactly’s platform.

First off, let’s define the entities involved in the Exactly hack, so you understand what they do, and how attackers were able to exploit the situation.

What is Exactly Protocol?

To quote its tagline, “Exactly is a decentralized, non-custodial, open-source protocol providing an autonomous fixed and variable interest rate market.”

Let’s break that down.

Exactly is a lending market that allows crypto owners to earn interest by staking their coins with the platform. The project began in July ‘21, and launched to the Ethereum mainnet in November ‘22 as a Layer 2.

Exactly doesn’t take custody of its users’ coins, which continue to reside in their wallets but can’t be spent elsewhere, as they’re committed to Exactly’s lending pools. Exactly’s code is publicly viewable, usable, and modifiable.

Exactly’s flexible model of handling both fixed-rate and variable-rate loans appealed to venture investors, who poured $5 million into the platform across two tranches involving 14 investors, in ‘21 and Jan. ‘23.

Before the exploit in August, Exactly’s code underwent five different audits in ‘23, performed by established firms ABDK and Coinspect.

To speed up transactions for its users, in March ‘23 Exactly integrated a bridge option that makes it faster and cheaper to move funds from Exactly to Ethereum. Their chosen integration is with the Optimism bridge, which is in beta.

What is Optimism Bridge?

Operating directly on Ethereum can be slow and costly, depending on network congestion and gas fees. Optimism is one solution that aims to make ETH transactions faster and cheaper.

It does this by using ‘optimistic’ rollups via smart contracts that bundle sets of transactions together and process them at once. Optimism’s rollups launched in 2019, and its native token was issued in Fall ‘22.

A DeFi hack begins

In the wee hours of Aug. 18, cryptosecurity firm PeckShield first sounded the alarm that Exactly was compromised:

Hours later, De.Fi chimed in with more details, including that a copycat thief had joined in and there were now two drainer contracts.

The estimated value of the amount of ETH stolen varied wildly as the first few days of the exploit unfolded, before settling at $7.6 million.

By Aug. 22, Exactly was offering a 10% bounty for return of funds:

To date, the bounty hasn’t been claimed, and the funds are still outstanding. A small amount of the stolen crypto–$600,000 worth–was successfully frozen on centralized exchanges.

As a result of the theft, the total value locked on Exactly cratered from $37 million to under $12 million in early September. The value of Exactly’s native token, EXA–which earlier in August, shortly after its debut, was trading at nearly $12 a share–also imploded. In early September, EXA was worth around $1.60.

Exactly released a detailed incident post-mortem explaining what happened on Aug. 30.

How did the Exactly DeFi hack work?

How was Exactly compromised? Exactly traced the vulnerability back to flaws in a peripheral contract, as Exactly’s team explained:

“The root cause of this compromise was traced back to vulnerabilities within the DebtManager peripheral contract — a feature designed to help users leverage and deleverage positions in Exactly’s Markets. A combination of inadequate design on the input validation mechanisms and unchecked permit schemes paved the way for attackers to exploit the system.”

The input validation problem was actually introduced back in March ‘23, Exactly’s research found. However, it wasn't possible to exploit the weakness until a new permit feature was added on July 12 that allowed a signed message to approve transactions, rather than requiring an approval in a prior transaction.

In addition, through a flaw in the Market contract, the attacker was also able to manipulate and reduce a market’s share value by taking out substantial fixed-interest loans from one of Exactly’s fixed-rate loan pools. Manipulating the share value made the victim’s collateral sink lower than its debt. Liquidating the victim’s account restored the balance, allowing the attacker to repeat the process over and over with subsequent wallets.

This market contract had been previously audited, Exactly’s report noted.

Exactly operates a fairly complex platform offering both fixed-rate and variable-rate loans, with the opportunity to leverage existing stakes to borrow. The leverage/deleverage feature used to borrow against collateral and repay loans was also exploited in the hack.

Executing the theft was a 7-step process that targeted four markets with tokens available to be spent by the DebtManager contract: $USDC, $WETH, $wstETH, and $OP. Here’s how it went:

1. A malicious Market address calls DebtManager’s leverage function. The value of the permit’s account field is the victim’s wallet address.
2. DebtManager makes an external call to the malicious Market’s deposit function.
3. The attacker creates and adds liquidity to a Uniswap pool, setting up a fake market. The malicious  deposit function calculates how much crypto can be withdrawn from the victim’s wallet. Then, the attacker re-enters DebtManager’s crossDeleverage with a real USDC market as the marketIn and its own fake market as the marketOut. This setup will allow the attacker to withdraw real USDC and swap it with imaginary coins from its fraudulent pool.
4. Now operating on behalf of the victim’s account, the DebtManager’s crossDeleverage swaps the victim’s funds with the fake tokens in the Uniswap pool.  
5. The attacker transfers the victim’s funds to their attack contract.
6. After the swap, the victim’s collateral and debt are nearly even (in other words, their Health Factor is slightly above 1). The attacker then reduces the victim’s collateral by taking out two quickly repaid flash loans from adjacent pools, totaling roughly 250,000 coins. This action leaves the victim’s wallet undercollateralized relative to their debt.
7. Finally, to rebalance the account, the attacker liquidates a portion of the victim’s account ostensibly to pay off debt, but in reality pocketing some coins. If the victim still has a positive balance, the attacker can repeat the cycle, continuing to withdraw coins until the wallet is drained. Then the attacker moves on to additional victims.

Who was harmed by the attack on Exactly?

To its credit, Exactly was transparent about how many platform users were targeted in the exploit. In all, 117 users had funds stolen. The biggest losers were two whales with large stakes who each lost over $1.5 million.

Together, the top-ten largest wallets targeted lost 84% of the entire $7.6 million stolen, Exactly noted. Losses in the other wallets were mostly far smaller amounts.

Next steps for Exactly to increase DeFi security

In the wake of this hack and its substantial losses, the Exactly team said it is instituting changes to how it operates. It will now audit all peripheral contracts that interact with its app, instead of just its main protocol. Exactly pledges that in future, no unaudited feature will be available on its app.

The protocol also announced intentions to increase its bug bounty program. Exactly also plans to announce additional new security measures in coming days.

Red flags of vulnerability

How could crypto users have avoided falling victim to the Exactly attack? There are several factors here that users should always be wary of.

A new platform + a new bridge

Exactly’s protocol was less than a year old when this attack occurred. It takes time to fully harden a new platform’s code and discover all the vulnerabilities. Simply waiting for Exactly to acquire more of a track record could have kept users out of this mess.

It’s also notable that the bridge integration Exactly chose, Optimism, was itself a fairly new project.

Inadequate DeFi audits

A look at Exactly’s audit records reveals that while it did many audits, most of the ones performed in ‘23 reviewed just one specific feature, the RewardsController. Meanwhile, updates and additions to other platform features may have occurred since more comprehensive audits were performed in the previous year. In its own review and action plan, Exactly noted that peripheral contracts weren’t included in its earlier audits.

Users may be too easily reassured to see the logos of known crypto audit firms on a project’s website. To protect your crypto, dig deeper into the details around exactly what was audited, to find out how comprehensive audits were and whether all code was reviewed.

Are there smart contracts that weren’t part of the audit? Look for smart contract audits that include all the contracts that interact with the platform.

Cross-chain transactions increase risk

Bridges and other intermediary venues that enable users to move between crypto ecosystems have been fraught with problems. Operating within one ecosystem such as Ethereum or Bitcoin, is one way to limit risk.  

Avoid DeFi hacks with a cautious approach

Clearly, the DeFi sector still has a ways to go to build trust and secure assets on its platforms. DeFi is one of web3’s core use cases, so seeing DeFi platforms getting compromised raises majority security concerns. To fulfill its promise of serving the unbanked or those with limited access to capital while upholding anonymity, DeFi platforms will need to demonstrate they are reliable and secure.

Clearly, we’re not there yet–and as long as DeFi hacks keep occurring on a regular basis, mass adoption of DeFi is stymied.

Perhaps Lindy Han–who’s Asia-Pacific head of business development for the bridge and DEX aggregation tool LI.FI–said it best, among observers who weighed in on social media after the Exactly hack: