Hacker Profits over $7 Million Analysis of the Exactly Protocol Hack on the Op Chain

On August 18, 2023, according to Beosin-Eagle Eye Situational Awareness Platform, Exactly Protocol, a DeFi lending protocol on the Optimism chain, was hacked, with the hacker profiting over 7 million USD.

After the attack, Exactly Protocol stated on social media that they are trying to communicate with the attacker to return the stolen assets and have reported the incident to the police.

Three days later, on August 21, Exactly Protocol announced that the protocol has been resolved and users can perform all operations without any liquidation. For clarity, the hack only affected users who used the peripheral contract (DebtManager). Users who did not use this contract suffered no loss, and the protocol is still operating normally.

The Beosin security team analyzed the incident immediately, and the results are as follows.

Relevant Information about the Incident

● Attacking Transactions




● Attacker’s Address


● Attacking Contracts



● Attacked Contract


Vulnerability Analysis

Multiple market address parameters in the vulnerable contract can be manipulated. The attacker successfully bypassed the permit check by passing in a malicious market contract address and executed the malicious deposit function, stealing users’ collateral USDC and liquidating their assets, ultimately achieving the attacker’s profit goal.

Attack Process

Using the transaction 0x3d6367… as an example

Attack Preparation Phase:

1. The attacker created multiple malicious market contracts

Attack Phase:

1. The attacker called the leverage function of the vulnerable contract, passing in a forged market contract address. Due to the lack of validation for the market address, the permit check was bypassed, and the _msgSender was changed to the victim’s address, preparing for step 3 to steal the victim’s assets.

2. The leverage function will continue to call the deposit function in the malicious market contract, thereby executing the attacker’s malicious code.

3. The malicious code in the deposit function first creates a pool for the malicious token/USDC, and then re-enters the crossDeleverage function of the vulnerable contract. Since both marketIn and marketOut can be controlled, the V3 pool calculated by the crossDeleverage function is ultimately the one created by the attacker.

4. At this point, because _msgSender has been modified to the victim, the crossDeleverage function further calls the swap function of the V3 pool created by the attacker for flash loan, and transfers the victim’s funds to the V3 pool in the callback function uniswapV3callback.

5. The attacker removes liquidity and steals the victim’s funds from the V3 pool.

6. As the victim’s collateral funds are transferred away, meeting the liquidation conditions, the attacker further liquidates the victim’s position and gains more profits.

Funds Tracking

As of the time of writing, the stolen funds have been cross-chain transferred to Ethereum through the Optimism bridge and Across Protocol.


In response to this incident, the Beosin security team suggests:

It is recommended to add a whitelist function for the contract addresses used as token credentials to avoid malicious manipulation.Currently, Beosin has conducted security audits on multiple projects on the Optimism chain, such as DIPX, etc. Therefore, Beosin recommends that before the project goes live, choose a professional security audit company to conduct a comprehensive security audit to mitigate security risks.

Like what you're reading? Subscribe to our top stories.

We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!

Follow us on Twitter, Facebook, YouTube, and TikTok.


Was this article helpful?

93 out of 132 found this helpful

Gambling Chain Logo
Digital Asset Investment
Real world, Metaverse and Network.
Build Daos that bring Decentralized finance to more and more persons Who love Web3.
Website and other Media Daos

Products used

GC Wallet

Send targeted currencies to the right people at the right time.