Prisma Finance, a prominent player in the decentralized finance (DeFi) space, is currently navigating the aftermath of an $11.6 million exploit that occurred last week. This incident has left $540,000 in funds from certain accounts yet to revoke the smart contract responsible for the exploit.
Prisma Finance hacker gives conditions to return funds
Adding to the complexity, the individual who executed the exploit, identifying themselves as a “white hat” hacker, has laid down conditions for returning the funds, including a public apology from Prisma Finance and the revelation of the team’s identity online. In response to these challenges, Prisma Finance’s core contributor known as “Frank” recently outlined the firm’s strategy in a post titled “Path Forward.”
While recovering the funds remains a top priority, the immediate focus is on ensuring the safety of users’ wallets and positions by unpausing the protocol. The exploit, which took place on March 28, was traced back to two MigrateTroveZap contracts designed for migrating user positions between trove managers, as detailed in a post-mortem update released by Prisma on March 31.
Frank highlighted that 14 accounts are still required to revoke the affected smart contract, with five of them being considered “at risk” due to open trove positions totaling over $500,000. Among these, the largest “at risk” address holds $484,380, while the other four range from $7,120 to $22,080 in value. As part of their recovery plan, Prisma intends to reduce liquidity from POL and staked revenue from vePRISMA.
Negotiating terms and demands
The protocol said the exploited contract was an isolated issue and activities would continue once the funds were secure. Meanwhile, the hacker has laid down his demands, asking Prisma Finance to tender a public apology. The ‘white hat’ hacker wants the entire team behind the protocol to reveal their identities and apologize for their failure to carry out a proper audit of their smart contract, which led to the hack.
In his message, the hacker mentioned that the team must reveal the mistake they made, the company that audited the smart contract, and their plan to improve security in the future. The hacker also wants Prisma Finance to absolve them of any responsibility for the breach as they are only helping the platform rectify its mistake. However, Prisma Finance replied that the hacker is yet to show any good faith as the said funds have not been returned as promised.
The dispute has led to a series of exchanges between the team and the hacker. According to data from PeckShield, the hacker had swapped the funds to Ethereum, transferring about 200 ETH to OFAC-sanctioned Tornado Cash. Before the exploit, Prisma had about $220 million in TVL, a value that has since reduced to $87 million.