defirisk.co
rubric v1.7.0

PrismaFi: Flash Loan + Missing Input Validation (Migration Helper)

PrismaFi's flash loan attack exploited a freshly deployed migration helper contract with no input validation, letting the attacker commandeer other users' collateral troves for $11.6M.

Occurred 2024-03-28 Loss $12M Status closed

Summary #

PrismaFi suffered a CDP / Liquid Restaking on 2024-03-28, resulting in a loss of approximately $12M.

What happened #

PrismaFi's flash loan attack exploited a freshly deployed migration helper contract with no input validation, letting the attacker commandeer other users' collateral troves for $11.6M.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — MigrateTroveZap was a recently deployed helper contract; unclear if it was in any audit scope; likely deployed after last audit] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — MigrateTroveZap was a recently deployed helper contract; unclear if it was in any audit scope; likely deployed after last audit]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (newly deployed migration helper)]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MigrateTroveZap contract deployed within the week before the attack] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MigrateTroveZap contract deployed within the week before the attack]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — not mentioned in source]
  • RD-F-096 — illustrative : New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: Approval of MigrateTroveZap by a monitored address 5 days before attack; migration contract was newly deployed (past week)]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — fork of Liquity Protocol with modifications]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — MigrateTroveZap contract deployed within the week before the attack]