Exactly Protocol: Unvalidated market address in periphery — fake market injection → _msgSender hijack → collateral drain + reentrancy
Exactly Protocol lost $7.3M when attackers passed a fake market address into an unaudited periphery contract, hijacking user collateral via reentrancy — despite the core protocol having four separate audits.
Summary #
Exactly Protocol suffered a Lending / Money Market on 2023-08-18, resulting in a loss of approximately $7M.
What happened #
Exactly Protocol lost $7.3M when attackers passed a fake market address into an unaudited periphery contract, hijacking user collateral via reentrancy — despite the core protocol having four separate audits.
Linked factors #
- RD-F-001 — causal : ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited periphery code]
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — DebtManager was a new periphery feature added without undergoing an audit first] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — DebtManager was a new periphery feature added without undergoing an audit first]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown (no mention in rekt.news article; $700K bounty offered post-hack for attacker information)]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — DebtManager was a new periphery feature added without undergoing an audit first]