Seneca Protocol saw a significant security breach, resulting in a dramatic 65% drop in the value of its native SEN token.
According to CertiK, the attacker initially exploited a vulnerability in the protocol to steal around $3 million worth of digital assets. The attacker transferred 1,000 ETH across two externally owned accounts (EOAs), escalating the estimated loss to approximately $6.4 million.
The core of the vulnerability was in a function within the Seneca protocol’s smart contract code named ‘performOperations.’ This function, accessible to external calls, meaning anyone could trigger it, lacked proper validation for its received inputs.
The absence of input validation is a significant security oversight in smart contract development.
The attacker developed a specific data sent to this function and triggered a condition that allowed the hacker to invoke any other contract on the blockchain with arbitrary data. This highly dangerous capability gives the attacker free rein to interact with other contracts disguised as vulnerable ones. The attacker then transferred assets from addresses previously authorized to the now-vulnerable contracts.
Seneca (SEN) operates as an omnichain Collateral Debt Position protocol for yield-bearing assets. Using supported collateral assets allows users to borrow the collateralized stablecoin, senUSD. The SEN token has various utilities, including governance, trading tax redistribution, and protocol fee redistribution through staking.