On July 23, 2024, at approximately 3:00 PM UTC, an attack targeted Spectra's router contract.
The attacker managed to hijack user transactions, resulting in a loss of around 168 ETH. The attack occurred on Ethereum Mainnet, and our team’s swift reaction enabled us to limit the effects as a total of 4 wallets were impacted.
The core protocol contracts remain unaffected, and the funds inside them are safe.
The Spectra App (https://app.spectra.finance/) was reinstated in the morning CET hours on July 24th and is safe to use.
Technical Breakdown of the Vulnerability
The incident resulted from the exploitation of a command in the routing utility contract. This command allowed Spectra users to enter and exit the pool with a token of their choice. After prompting users to leave the pool the attacker exploited the command in order to sweep funds once a user unknowingly approved the transaction on the router.
Incident Response
A suspicious Discord user, believed to be the attacker, started making false claims about issues with Spectra's YT token contracts to prompt users to withdraw funds. Those who attempted to withdraw were required to approve the transaction first, making them vulnerable to the attack.
Upon identifying the attack vector, our team promptly activated an incident response plan, disabling the Spectra App and terminating router contracts that enabled the attacker to hijack transactions.
As a precaution, Principal Token contracts were paused, preventing token exchanges at Curve's pool level (Spectra's primary AMM). The contracts were unpaused at approximately 9 PM UTC the very same day.
Links
The attacker’s wallet where the stolen funds were transferred: https://etherscan.io/address/0x53635bf7b92b9512f6de0eb7450b26d5d1ad9a4c
Recovery Efforts
Spectra's top priority is recovering affected users' funds. Authorities and relevant third parties, including leading exchanges and industry-leading security teams, have been contacted for their support and expertise in tracing and recovering funds.
We have also sent the hacker an on-chain message, offering to close the case if they return 90% of the stolen funds:
If you are an affected wallet holder, please complete the following form so we can contact you directly:
Spectra’s Safety
In an environment where it is technically impossible to foresee all potential sources of attacks, we are doing our utmost to guarantee the highest level of security through regular external audits of our contracts and the use of best practices. We continue collaborating with security experts to resolve this situation and provide community updates via Twitter and Discord as we progress.
If you have any information that would help resolve this case, please get in touch with the Spectra team via incidentresponse@spectra.finance
We appreciate everyone's support!