The Gamma Strategies DeFi Protocol Is Vulnerable for $3.4 Million

CryptoPotato reports that a vulnerability in the DeFi protocol Gamma Strategies, which is constructed upon the Ethereum blockchain, led to an approximate $3.4 million loss. Subsequently, the protocol expeditiously executed precautions to avert additional losses; it temporarily halted deposits to all publicly accessible DeFi vaults while maintaining withdrawal functionality for users requiring access to their funds. The exploit was first identified by PeckShield, a blockchain investigator, on January 4. Gamma Strategies subsequently validated this identification. The platform announced that the underlying cause of the incident had been identified.

Four primary safeguards against flash loans are in place in Gamma's vaults: a requirement that the ratio of token0 to token1 be consistent with the ratio of the pool; a price change threshold that disallows deposits if the price change exceeds a specified amount; deposit caps per deposit; and a prohibition on single-sided deposits. The protocol unveiled that the primary concern originated from the excessively high price change threshold settings, which permitted certain LST and stablecoin vaults to experience price fluctuations of up to 50-200%. The assailant was thus able to manipulate the price to the threshold and produce an atypically large quantity of LP tokens.

In accordance with the strategy delineated by Gamma Strategies, every price change threshold shall be established at a secure threshold level. Additionally, prior to resuming deposits, it intends to have a third-party code review conducted to ensure that this attack has been adequately mitigated. In addition, a thorough post-mortem examination will be made public shortly. Gamma Strategies has not yet specified whether, in addition to "maximising recovery for all affected users," it intends to compensate its victims. The document stated, "One last note, is that even though deposits are closed, our rebalances and management of the positions are still active as they are not affected by the exploit."

Two security vulnerabilities afflicted the cryptocurrency market in the initial four days of 2024. An attack earlier this week compromised Orbit Chain, a project that facilitated cross-chain bridging, and caused the loss of over $80 million in assets. As a consequence of the perpetrator gaining entry to seven out of ten multisig signers, an amount of $81.5 million was lost in total. Stablecoins comprised the preponderance of the stolen funds, with USDT accounting for $30 million, USDC for $10 million, and DAI for $10 million. Furthermore, an estimated 9,500 ETH ($21.5 million) and 231 WBTC ($10 million) were also compromised.