Decentralized finance (DeFi) firm Prisma Finance says there are still $540,000 in funds from accounts yet to revoke the smart contract responsible for last week’s $11.6 million exploit.
Meanwhile, the self-claimed “white hat” hacker behind the exploit says they will hold back the return of funds until the firm apologizes and reveals the team’s identity online.
In a “path forward” post on April 1, core contributor “Frank” said the firm would continue to seek the return of funds, but the top priority is to unpause the protocod and said it needed all users to ensure their wallets and positions were safe first.
The protocol suffered a multimillion-dollar exploit on March 28, which was later revealed to be the result of two MigrateTroveZap contracts, which were designed to migrate user positions from one trove manager to another, according to a post-mortem post from Prisma last updated on March 31.
However, Frank noted that there were still 14 remaining accounts that had yet to revoke the affected smart contract, five of which were still “at risk” with open trove positions totaling over $500,000.
“Of the affected Troves several have revoked the contract containing the vulnerability with ~$540k of collateral still at risk at the time of writing.”
Prisma is a decentralized borrowing protocol that uses “troves” — Ethereum addresses — where users can take out and maintain loans.
The largest “at risk” address contains $484,380, while the other four carry between $7,120 and $22,080.
Frank explained that part of its “path forward” was to “conserve additional reserves” while Prisma attempted to recover the stolen funds.
A new proposal was made on April 1 to reduce liquidity from POL and staked revenue from vePRISMA.
Prisma also stressed that the exploited contract was isolated from the core protocol and that it plans to restart it once the remaining user funds are safe.
Meanwhile, the self-claimed “white hat” has accused the DeFi firm of failing to act in good faith and claims the funds won’t be returned unless it makes a public apology.
Part of that apology involves Prisma holding an online conference, in which the entire team must show their faces with ID and apologize to all users and investors for failing to properly audit its smart contract.
The exploiter also wants Prisma to acknowledge they have “no responsibilities” in the ordeal and are only trying to help Prisma rectify its mistake.
On-chain messages sent from the hacker to Prisma Finance. Source: Etherscan
Prisma, however, fired back, pointing out that the exploiter has yet to return any funds to show good faith either, with the two sides then continuing to argue in on-chain messaging.
Since the attack, blockchain security firms Cyvers and Peckshield observed that the hacker had started swapping the stolen funds to Ether (ETH), and about 200 Ether was transferred to the United States Treasury’s Office of Foreign Assets Control-sanctioned cryptocurrency mixer Tornado Cash.
Prior to the exploit, Prisma Finance had about $220 million in total value locked on its protocol, but that figure has plummeted to $87 million, according to DefiLlama.
Magazine: Should crypto projects ever negotiate with hackers? Probably