The decentralized finance ecosystem faced another significant security incident on March 28, 2024, as Prisma Finance, an Ethereum-based liquid restaking protocol, fell victim to a sophisticated exploit targeting its migration helper contract. The attack resulted in the loss of approximately 3,479 ETH, valued at roughly $12 million at the time of the incident, with Bitcoin trading near $70,745 and Ethereum at $3,561.
The Exploit Mechanics
The vulnerability resided in the MigrateTroveZap contract, a special-purpose helper designed to facilitate the seamless migration of user Trove positions from deprecated TroveManager contracts to new ones. The contract utilized flash loans to close an old Trove and immediately open a new one with equivalent collateral and debt in a single atomic transaction. However, insufficient input validation in the onFlashloan() function allowed an attacker to manipulate input data and execute unintended contract behavior.
The primary exploiter initiated the attack at 11:25 UTC on March 28, exploiting the lack of proper parameter checks to close a Trove owner’s position, withdraw the collateral in wstETH, and reopen the Trove with the same debt denominated in mkUSD but significantly less collateral. The attacker pocketed the difference. Two copycat exploiters followed, extracting an additional 121 and 52 wstETH respectively.
Affected Systems
The exploit specifically targeted Prisma Finance vault owners who had previously granted delegate approval to the MigrateTroveZap contract via setDelegateApproval on the BorrowerOperations contract. Both the mkUSD and ULTRA versions of the migration contract were affected. The attack triggered an immediate market reaction: the mkUSD stablecoin deviated from its dollar peg, trading at $0.98968, while the PRISMA governance token plunged more than 25% to as low as $0.24 before recovering slightly to $0.3024.
Total value locked on the protocol experienced a dramatic 40% decline, falling from $236 million on March 27 to $143 million in the aftermath of the exploit. Blockchain security firms Beosin and Cyvers Alert provided real-time analysis, with Cyvers noting that Prisma’s delayed response in pausing the contract allowed the attacker to siphon an additional $1 million beyond initial estimates.
The Mitigation Strategy
Prisma Finance’s emergency multisig intervened by pausing the protocol’s operations, preventing further exploitation. The team issued urgent guidance for all vault owners to revoke any active approvals for the MigrateTroveZap contract on both LST and LRT positions. The protocol confirmed that mkUSD and ULTRA stablecoins remained overcollateralized and were not at fundamental risk, despite the temporary depegging.
In an unusual turn of events, the primary exploiter later contacted the Prisma team claiming to be a white-hat hacker and expressed willingness to return the stolen funds, demanding a public apology from the protocol. This pattern of post-exploit negotiation has become increasingly common in the DeFi space.
Lessons Learned
The Prisma Finance incident underscores several critical security considerations for DeFi protocols undergoing major migrations or upgrades. First, migration helper contracts that require delegate approvals from users represent a significant trust surface that demands the same level of security auditing as core protocol contracts. The vulnerability existed in a supplementary contract deployed as part of a governance-approved upgrade, highlighting that even well-intentioned system improvements can introduce exploitable flaws.
Second, the speed of incident response directly impacts total losses. The approximate 10-minute delay between initial detection and protocol pause enabled additional fund extraction. Protocols should implement automated circuit breakers that can halt suspicious activity without requiring multisig consensus.
Third, the phishing surge that followed the exploit demonstrates that attackers exploit user confusion during crises. Protocol teams must have pre-established communication channels and anti-phishing measures ready before incidents occur.
User Action Required
Any Prisma Finance users who interacted with the MigrateTroveZap contract should immediately revoke all approvals granted to both the mkUSD and ULTRA versions of the contract. Users should verify revocation through on-chain tools and avoid connecting wallets to any links shared in unofficial channels. The broader DeFi community should treat delegate approvals with the same caution as unlimited token approvals, regularly reviewing and revoking unnecessary permissions across all protocols.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before interacting with any DeFi protocol.
A 40% TVL drop in such a short time shows how fragile trust is in these new protocols. I was lucky I didn’t migrate my Trove yet. PRISMA dropping 25% makes it a tough hold right now, especially with copycats lurking around.
The 25% PRISMA token dump was a gift for short sellers. But man, seeing that much ETH gone because of one contract vulnerability is a wake-up call for all of us. Security needs to be the top priority, not just growth.
25% dump on the PRISMA token was the market telling you the team failed at basic diligence. migration contracts are where all the edge cases live
Flash loan manipulation on a migration contract is a classic move, but seeing 3,479 ETH vanish so quickly is brutal. The mkUSD depeg to $0.98 is the real concern for those of us using it as collateral. Hope the white-hat claim holds water and we see a recovery.
mkUSD at 0.98 is small potatoes compared to what happens when the cascade hits other vaults using it as collateral. the contagion risk was the real threat
Seeing mkUSD slip below its peg is scary. I thought Prisma was one of the safer ones. This exploit just proves that ‘migration’ is often the most dangerous time for any DeFi project. Staying in blue chips for a while.
Everyone calling themselves a white-hat after draining $12M is getting old. If you want to help, disclose the bug before exploiting it. That MigrateTroveZap contract clearly wasn’t audited enough for flash loan edge cases.