On November 11, 2024, DeltaPrime, a decentralized borrowing protocol operating across Arbitrum and Avalanche, suffered a devastating exploit resulting in approximately $4.8 million in losses. The attack, which unfolded across two blockchain networks simultaneously, leveraged a sophisticated combination of unchecked input vulnerabilities that allowed the attacker to drain liquidity pools through a carefully orchestrated flash loan strategy. With Bitcoin trading near $80,474 at the time, the exploit sent ripples through the DeFi community, raising urgent questions about the security of cross-chain lending protocols.
The Exploit Mechanics
The attacker executed a two-pronged assault exploiting separate vulnerabilities within DeltaPrime’s smart contract architecture. The first vulnerability involved an unchecked input parameter in the protocol’s swap adapter mechanism. The attacker initiated the attack by flash-loaning 59.9 ETH on Arbitrum and depositing it as collateral into DeltaPrime. They then borrowed 1.18 WBTC against this collateral. Through the swap adapter, the attacker transferred the borrowed WBTC to a separate attack contract at address 0x52ee, while the internal _repayAmount remained unchanged at zero. This meant the attacker obtained 1.12 WBTC while their original 59.9 ETH collateral remained locked in the protocol.
The second vulnerability proved even more damaging. Within DeltaPrime’s TraderJoeV2ArbitrumFacet contract, the claimReward() function accepted an arbitrary external contract address as its pair parameter. The attacker passed their own malicious contract address, which triggered a callback to the wrapNative() function in contract 0x647b. This function wrapped the attacker’s ETH collateral into WETH, causing the WETH balance of the contract to change. The reward mechanism then calculated a “reward” of 59.9 ETH based on this balance change, effectively returning the attacker’s full collateral on top of the already-stolen borrowed assets.
Affected Systems
The Avalanche network bore the brunt of the attack, with approximately $4.1 million drained from DeltaPrime’s Avalanche deployment. The attacker aggregated stolen funds into address 0xd3d535141831F6Bd8B7DF92E2AE0463D60Af2413. Rather than immediately cashing out, the attacker staked a significant portion of the proceeds across multiple protocols. Approximately $600,000 in Stargate USDC, $518,000 in USDC/USDT on LFJ (formerly Trader Joe), along with 4,865 AVAX, 49.68 WETH.e, and 6.34 BTC.b were distributed across DeFi positions. The attacker retained approximately 69,401 AVAX, valued at roughly $2.2 million at the time.
On Arbitrum, approximately $753,000 was taken. The funds were initially consolidated in contract 0x52EE5c0eA2E7b38D4B24c09D4d18cba6C293200E, with 16 ETH split to a secondary address. A portion of 2.96 WBTC, valued at approximately $242,000, was bridged to the Ethereum mainnet.
The Mitigation Strategy
The DeltaPrime exploit highlights a critical failure in input validation that should have been caught during routine security audits. The fix requires implementing strict whitelist checks on all external contract addresses passed as parameters to critical functions. The pair parameter in claimReward() should only accept verified, known contract addresses rather than allowing arbitrary external calls. Similarly, the swap adapter must enforce that borrowed assets cannot be redirected to attacker-controlled addresses without proper validation of the recipient.
For protocols operating across multiple chains, DeltaPrime’s experience demonstrates that vulnerabilities on one network often exist on others. Protocols should conduct synchronized audits across all deployments and implement circuit breakers that can halt operations network-wide when anomalous behavior is detected on any single chain.
Lessons Learned
The DeltaPrime incident reinforces several hard-won lessons from 2024’s string of DeFi exploits. First, flash loan-enabled attacks remain one of the most potent tools available to attackers, allowing them to execute capital-intensive exploits without requiring upfront investment. Second, reward claim mechanisms that interact with external contracts are inherently dangerous without strict input sanitization. Third, the attacker’s decision to stake stolen funds rather than immediately cashing out represents an evolving tactic that complicates fund recovery efforts and suggests a level of sophistication that goes beyond typical smash-and-grab exploits.
The total losses from DeFi exploits in 2024 have continued to mount, with DeltaPrime adding to a growing list that includes protocols across every major blockchain ecosystem. Each incident provides a blueprint for future attackers while simultaneously offering lessons that, if heeded, could prevent similar attacks.
User Action Required
If you held funds in DeltaPrime on either Arbitrum or Avalanche, monitor the protocol’s official communications for recovery plans. Avoid interacting with any DeltaPrime contracts until the team has deployed patched versions and independent auditors have verified the fixes. For DeFi users more broadly, this exploit serves as a reminder to diversify across protocols and never deposit more than you can afford to lose in a single platform. Always verify that protocols you use have undergone thorough audits from reputable firms, and pay attention to whether those audits specifically cover cross-chain functionality and reward distribution mechanisms.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before engaging with any DeFi protocol.
59.9 ETH flash loan to steal $4.8M. the ROI on these attacks is absurd, no wonder hackers keep targeting the same protocols
flash loans really changed the game for exploits. zero capital risk for the attacker, all the upside
two separate unchecked inputs chained together into one attack. whoever wrote that smart contract needs to find a different career path