DeltaPrime’s TVL Crashes 40% After $6M Exploit

DeltaPrime, a DeFi yield protocol, is reeling after its private keys were compromised.

On Sept. 15, Cyvers Alerts, an on-chain security team, flagged multiple suspicious transactions involving DeltaPrime’s Arbitrum deployment. Cyvers Alerts said a hacker was draining the protocol’s USDC, ARB, and BTCb pools after DeltaPrime’s admin lost control of its private key, culminating in nearly $6 million worth of losses.

On Monday morning, DeltaPrime confirmed the exploit had resulted from a compromised private key and resulted in a total loss of $5.98 million. The project said that all risk had been “contained” and that its insurance pool will cover any losses sustained by users.

DeltaPrime added that it is now working on retrieving the assets and will explore “other ways to reduce user losses to a minimum," suggesting the project may offer a bounty to the hacker in exchange for returning most of the stolen funds.

Chaofan Shou, the co-founder of Fuzzland, a web3 security protocol, said the hackers used the compromised private key to upgrade DeltaPrime’s admin proxies, allowing the attacker to artificially inflate their deposit balance for the protocol’s pools.

The DeltaPrime team noted that its Avalanche deployment is secured by multisig accounts and cold wallets, meaning it is not vulnerable to the same attack.

The incident has wreaked havoc for DeltaPrime beyond the immediate losses incurred from the exploit, with the project’s total value locked (TVL) falling 40% to $38.3 million from $65.2 million in less than 24 hours, according to DeFi Llama. The pullback follows the protocol’s TVL doubling since early July.

Despite the heavy TVL loss, the price of DeltaPrime’s PRIME token is down just 5.4% in the past 24 hours, according to CoinGecko.

Potential North Korea Connection

On-chain sleuth ZachXBT had warned the team of a potential attacker in their ranks. He replied to cybersecurity researcher Chaofan Shou’s alert of the attack and claimed, “Idk if related, but they were one of the teams with the DPRK IT workers I reached out to warn (was told they were all removed).”

One month ago, the investigator had uncovered an extensive web of North Korean hackers – likely linked to the hacker group Lazarus – who posed as IT workers and had infiltrated a number of Web3 projects.

According to the blockchain detective, an unnamed team reached out to him for assistance after $1.3 million was stolen from their treasury after a malicious code had been implemented.

“Unbeknownst to the team, they had hired multiple DPRK (Democratic People’s Republic of Korea) IT workers as devs who were using fake identities,” ZackXBT said. “I then uncovered 25+ crypto projects with related devs that have been active since June 2024.”

ZachXBT published an extensive investigation in April 2024 about how the state-sponsored Lazarus group laundered $200 million from over two dozen crypto projects between 2020 and 2023.