Delta Prime DeFi hacker exploited token minting bug, managed to drain $6M

• Hacker exploited Delta Prime’s upgrade function to mint massive tokens.
• Over $6M in assets were stolen, including Bitcoin, Ether, and stablecoins.
• Attack exposes risks of upgradable contracts in decentralized finance.

Delta Prime, a DeFi platform operating on the Arbitrum network, has fallen victim to a major cyberattack where a hacker exploited a vulnerability in the platform’s token minting system, successfully draining over $6 million from its liquidity pools.

The breach began when the attacker gained control of Delta Prime’s admin account, likely by stealing the developer’s private key.

How the Delta Prime hack unfolded

With access to the admin wallet, the hacker used the platform’s upgrade function to modify several liquidity pool contracts. These contracts were linked to proxy addresses, a mechanism designed to allow developers to implement software upgrades.

However, instead of upgrading the software, the attacker pointed the contracts to malicious versions that allowed them to mint arbitrarily large numbers of tokens.

According to blockchain data provided by block explorer Arbiscan, the hacker initially minted over 115 duovigintillion Delta Prime USD (DPUSDC) tokens, an astronomical figure represented as 1.1*10^69 in scientific notation.

DPUSDC serves as a deposit receipt token for the USDC stablecoin, intended to be redeemed at a 1:1 ratio.

Despite minting a massive amount of DPUSDC, the hacker redeemed only $2.4 million worth of USDC.

The same exploit was applied to other deposit receipt tokens, including Delta Prime Wrapped Bitcoin (DPBTCb), Delta Prime Wrapped Ether (DPWETH), and Delta Prime Arbitrum (DPARB). The attacker minted massive quantities of these tokens and redeemed a small fraction, ultimately stealing over $6 million in assets, including Bitcoin, Ether, Arbitrum, and USDC.

Cyvers, an on-chain security platform, was one of the first to report the attack, warning that the losses were initially $4.5 million but quickly escalated as the hacker continued draining pools.

🚨ALERT🚨@DeltaPrimeDefi has faced a security incident on their admin keys.
Attacker had control on the private key of 0x40e4ff9e018462ce71fa34abdfa27b8c5e2b1afb
then he upgraded the proxy!

So far $5.93M has been drained!

Want to keep your company off our alerts radar? Learn… https://t.co/yOmNZJyp5l pic.twitter.com/lztFvXVmfI

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) September 16, 2024

Blockchain security specialist Chaofan Shou later confirmed that the total theft had reached approximately $6 million.

Delta Prime @DeltaPrimeDefi admin private key leaked. All pools are drained. $7M loss already. Withdraw ASAP!https://t.co/uNn5nZoHp3 pic.twitter.com/se3RebRjpX

— Chaofan Shou (@shoucccc) September 16, 2024

This incident underscores the risks associated with upgradable contracts in the DeFi ecosystem. Although upgradable contracts allow developers to fix bugs post-deployment, they introduce a centralization risk if an admin account is compromised, as seen in the Delta Prime hack.

The attack on Delta Prime is part of a growing trend of high-profile DeFi breaches, with experts warning that future targets could include even larger institutions, such as Bitcoin exchange-traded funds (ETFs), which hold billions in digital assets.