Shata Capital Hack
Incident Overview
USDC vault owned by Shata Capital was exploited for about of 5M USD.
On February 24, 2023, an exploit was discovered in Shata Capital's EFVault contract, resulting in approximately $5.14 million in losses due to improper configuration after contract upgrade.
The attacker's address was 0xa0959536…743a0a and the attacked contract was 0x80cB7307…a2702c.
The attacker initially deposited 0.1 Ether to the EFVault contract 27 days prior to the attack to get a number of shares.
The EFVault contract had been upgraded by proxy before the attack, and the key parameter of the new function redeem in the upgraded contract was directly assigned by reading the wrong value from the corresponding storage location of the agent contract before the upgrade.
This resulted in an excessive amount of user withdrawable assets calculated in the redeem function, allowing the hacker to exploit this vulnerability and call the redeem function twice, profiting $3.43 million and $1.71 million respectively.
The vulnerability occurred because the initialize function of the newly implemented contract could not be called again after the upgrade, making it impossible to initialize the new variables.
In addition, the data storage structure of the old version was not taken into account when adding new variables in the new contract, which resulted in the new contract still reading the data of the proxy contract slot of 0xcc when reading the assetDecimal variable.
Through querying the transactions, it was found that the value of maxDeposit can be set by calling the setMaxDeposit function, and the latest value of maxDeposit was set to 5000000000000.
The attacker has exchanged all funds to ETH and transferred to tornado.cash.
Exploit TXs:
https://etherscan.io/tx/0x1fe5a534…e81914
https://etherscan.io/tx/0x31565843…a03743
Exploiter:
https://etherscan.io/address/0xa0959536…743a0a
Attacker contract:
https://etherscan.io/address/0x80cB7307…a2702c
Incident Report
Protocol Information
Market Context at Time of Hack
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Shata Capital, these are the critical security checks that could have prevented this incident (February 2023).
- Verify all logic paths related to Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialRelated Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
Learn to Prevent the Next Shata Capital
The Shata Capital hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.