Teller Finance v2 Falls to Delegatecall Exploit in Latest DeFi Security Breach

The decentralized lending platform Teller Finance suffered a significant security breach on June 9, 2025, after attackers exploited an unsafe delegatecall vulnerability in its proxy contract architecture. The incident adds to a brutal month for DeFi security, with June 2025 losses estimated at over $114 million across 11 confirmed on-chain exploits.

The Exploit Mechanics

The attack vector centered on a classic but devastating smart contract vulnerability: an unprotected delegatecall instruction within Teller Finance v2’s proxy contract. In Solidity, the delegatecall opcode executes code from another contract while preserving the calling contract’s storage context. When improperly implemented, this allows an attacker to supply malicious calldata that the proxy contract executes as if it were its own code.

According to blockchain investigators, the attacker identified that Teller’s proxy pattern failed to validate the origin and content of calldata passed through the delegate mechanism. By crafting specific function calls, the attacker was able to manipulate storage slots in the proxy contract, effectively granting themselves elevated permissions within the protocol’s lending markets.

The exploit unfolded in a series of carefully sequenced transactions. The attacker first established a foothold by interacting with the vulnerable delegatecall pathway, then escalated access by modifying critical storage variables that controlled collateral requirements and withdrawal limits. With these parameters altered, the attacker proceeded to drain funds from Teller’s lending pools across multiple asset types.

This attack pattern mirrors similar delegatecall exploits seen across the DeFi ecosystem. The vulnerability class remains one of the most dangerous in Solidity programming because it operates at the storage layer, making it difficult to detect through surface-level code review without understanding the full proxy inheritance chain.

Affected Systems

The breach impacted Teller Finance v2’s decentralized application, which facilitates uncollateralized and undercollateralized lending through a peer-to-peer marketplace model. The protocol operates primarily on Ethereum and several Layer 2 networks, connecting lenders with borrowers through smart contract-managed loan terms.

The compromised proxy contract served as a core architectural component, handling upgrade logic that allowed the protocol to iterate on its lending engine without requiring users to migrate positions. Ironically, this upgrade mechanism — designed to improve the protocol — became the vector for its compromise.

Market conditions at the time of the exploit saw Bitcoin trading at approximately $110,294 and Ethereum at $2,681, with the broader crypto market capitalization exceeding $3.3 trillion. The strong market environment meant that lending pools on Teller held substantial value, making the protocol an attractive target for sophisticated attackers.

The Mitigation Strategy

Following the exploit, the Teller Finance team took immediate action to contain the breach. The affected contracts were paused to prevent further fund extraction, and the team began coordinating with on-chain investigators and security firms to trace the stolen assets.

The mitigation approach for delegatecall vulnerabilities follows a well-established pattern in DeFi security. First, the proxy must implement strict access controls on which addresses can trigger delegate execution. Second, calldata passed through delegate calls must be validated against an allowlist of recognized function signatures. Third, storage slot layouts between proxy and implementation contracts must be carefully managed to prevent unintended overwrites.

Security researchers note that the OpenZeppelin proxy library provides battle-tested implementations that handle these edge cases correctly. Protocols that build custom proxy patterns without inheriting these protections remain vulnerable to the same class of attack.

Lessons Learned

The Teller Finance incident reinforces several critical security principles for DeFi protocols. Proxy patterns, while essential for upgradeable contracts, introduce a fundamentally different threat model compared to immutable deployments. Every additional layer of indirection — proxy contracts, delegate calls, implementation swaps — creates new attack surfaces that require rigorous auditing.

The exploit also highlights the importance of comprehensive storage gap patterns. When implementation contracts add new storage variables in upgrades, the proxy contract’s storage layout must remain compatible. Failure to maintain this compatibility can expose storage slots to manipulation through delegatecall paths.

For users, the incident underscores the risk-reward calculus of depositing funds into upgradeable protocols. While upgradeability allows teams to patch bugs and add features, it also means that a single misconfiguration in the upgrade mechanism can compromise the entire system.

User Action Required

If you had funds deposited in Teller Finance v2 at the time of the exploit, monitor the protocol’s official communication channels for reimbursement announcements. Revoke any outstanding token approvals to Teller’s compromised contracts using tools like Revoke.cash or Etherscan’s token approval checker. Review your wallet transaction history for any unauthorized interactions with the affected contracts. Moving forward, when evaluating DeFi protocols, verify that proxy implementations follow established security standards such as ERC-1967, and check whether the protocol has undergone audits specifically covering its upgrade mechanism.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.