Seneca Protocol: Approval Exploit — Arbitrary transferFrom via Constructed Calldata
Seneca Protocol's Chamber contract let anyone construct calldata to drain tokens from any user's wallet who had ever given it approval — a bug flagged by a Sherlock researcher three months before launch that the team knowingly shipped.
Summary #
Seneca Protocol suffered a CDP / Liquid Staking on 2024-02-28, resulting in a loss of approximately $6M.
What happened #
Seneca Protocol's Chamber contract let anyone construct calldata to drain tokens from any user's wallet who had ever given it approval — a bug flagged by a Sherlock researcher three months before launch that the team knowingly shipped.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — core Chamber contract; no recent upgrade] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — core Chamber contract; no recent upgrade]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N — no bug bounty program]
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: In audited code (Halborn) — related issues flagged but specific flaw missed]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker address funded via FixedFloat 5 months prior and dormant; no on-chain activity immediately before]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — "battle-tested code" (their words); LST collateral CDP fork]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — core Chamber contract; no recent upgrade]