Silo Finance, a decentralized crypto lending protocol, confirmed on Wednesday that it had fallen victim to a smart contract exploit. The exploit resulted in an estimated loss of $545,000. The news of Silo Finance hacked spread rapidly, raising concerns about the security of experimental protocols in the decentralized finance (DeFi) space.
The Exploit: A Vulnerability in Testing Contracts
According to blockchain security firm PeckShield, the vulnerability stemmed from a user-controlled input issue in the openLeveragePosition function of one of Silo’s smart contracts. The exploit allowed attackers to manipulate the contract and siphon off funds.
However, Silo Finance emphasized that the affected contract was not part of its main protocol infrastructure. Instead, it was being used to test a new leverage feature that had not yet been officially deployed. In a statement on X, the team clarified:
“The scope is limited to a smart contract for automated leverage, which is now paused. This is a function that is currently deployed for testing purposes only.”
Co-founder Aiham Jaabari echoed this sentiment, explaining that no user funds were lost. The exploited assets belonged solely to Silo DAO, the decentralized autonomous organization overseeing protocol governance. Silo DAO had allocated internal funds to test the experimental feature. In the wake of Silo Finance hacked, the focus shifted to ensuring similar vulnerabilities are promptly addressed.
Market Reaction: SILO Price Plummets
In the wake of the exploit, SILO’s price dropped sharply, falling to approximately $0.04035. This marked an 11% decline over the past 48 hours, according to Coingecko. This Silo Finance hacked incident contributed to the volatility.
On-chain analytics revealed that traders rushed to offload or rebalance their holdings following the breach. The 14-day Relative Strength Index (RSI) fell below 36, indicating that the token had entered oversold territory. Meanwhile, the 50-day moving average remained significantly above current price levels at approximately $0.055. This suggests a potential continuation of SILO’s short-term downtrend.
Exploiter Used Tornado Cash to Launder Funds
Blockchain investigators traced the malicious activity to a wallet that received funds via Tornado Cash, a crypto mixing service notorious for obscuring transaction trails.
PeckShield reported that their threat intelligence system detected the suspicious code three minutes and twenty seconds before the exploit was executed. This early detection highlights the importance of proactive monitoring in mitigating such attacks.
The use of Tornado Cash underscores the growing sophistication of hackers. They also increasingly rely on privacy tools to launder stolen funds.
Cork Protocol Exploiter Resurfaces
In a related development, blockchain security investigators flagged activity from the exploiter behind the Cork Protocol hack, which occurred in May. This hack resulted in a loss of approximately $12 million.
Early today, the attacker moved 4,520 ETH, worth around $11 million, through Tornado Cash. The funds were sent in two transactions: an initial transfer of 1,410 ETH ($3.2 million) followed by an additional 3,110 ETH minutes later.
Security firm CertiK confirmed the movement, stating:
This marks the first fund movement from the exploit-related addresses since the breach on May 28, when the attacker drained 3,761 wrapped staked ETH (wstETH) from Cork’s wstETH:weETH market.
Lessons Learned: Security in DeFi
The Silo Finance hacked situation serves as a stark reminder of the risks associated with deploying unaudited or experimental features. This is true even in isolated environments. While the platform’s core contracts remain secure, the incident highlights the need for rigorous testing and continuous monitoring of all smart contracts, regardless of their intended purpose.
For users, the breach underscores the importance of conducting due diligence before engaging with any DeFi protocol. Additionally, the resurgence of the Cork Protocol exploiter demonstrates the persistent threat posed by bad actors in the crypto space, particularly when privacy tools like Tornado Cash are involved.
Final Thoughts
Despite the Silo Finance hacked of $545K, their response to the breach has been commendable. By promptly pausing the affected contract and providing transparent communication, the team has demonstrated a commitment to user safety and protocol integrity.
However, the broader implications of the incident extend beyond Silo Finance. As DeFi continues to grow, so too does the sophistication of attackers. Projects must prioritize security audits, implement robust monitoring systems, and educate users about potential risks. These measures will help foster trust and resilience within the ecosystem.
For now, the focus remains on recovering stolen funds and preventing similar incidents in the future.
