Seneca Hack
Incident Overview
Exploitation of Seneca Protocol Leads to $6.5 Million Asset Loss
On February 28, 2024, Seneca Protocol experienced exploitation on both the Ethereum Mainnet and Arbitrum Chain due to a smart contract vulnerability. The vulnerability, rooted in an arbitrary external call vulnerability within the protocol's contracts, enabled attackers to drain assets. Specifically, the vulnerable contracts contained a _call function that lacked sufficient restrictions on the types of calls allowed and failed to adequately validate callee addresses.
Exploiting this, attackers manipulated the performOperations function to craft calldata triggering arbitrary calls, facilitating unauthorized token transfers to their addresses.
Exploiter Addresses:
Exploit tx:
https://etherscan.io/tx/0x0eb8f8d1…1bd5c4
https://etherscan.io/tx/0x9f371267…305576
Malicious contract:
https://etherscan.io/address/0x8d4de2bc…74d12a#code
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Seneca, these are the critical security checks that could have prevented this incident (February 2024).
- Verify all logic paths related to Token approval exploit / Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialFunds Recovery
Recovered
$5.3M
Net Loss
1202500
Security Audit History
- Audit Report 1 Report
Related Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Proof-of-Concept Exploits
On-Chain Evidence & References
- Twitter/X Alert https://twitter.com/Phalcon_xyz/status/1763045563040411876
Sources & References
Learn to Prevent the Next Seneca
The Seneca hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.