Concentric app suffers $1.7m social engineering hack on Arbitrum

The liquidity manager app Concentric experienced a significant security breach today on the Arbitrum network.

The breach involved a social engineering attack that enabled the unauthorized acquisition of a critical private key. This key belonged to the protocol’s deployment account and was instrumental in the attack.

During the incident, the perpetrator managed to manipulate the protocol by upgrading the vaults and creating new liquidity provider (LP) tokens. This series of actions ultimately led to the extraction of assets from the vaults. 

The breach was executed by gaining control of an employee’s deployer wallet on Arbitrum. The $1.7 million in stolen funds were converted into Ethereum and dispersed across three wallet addresses. Cybersecurity company Cyvers detected and reported suspicious activities following the incident, raising concerns within the decentralized finance community.

Further investigation into the attack revealed intriguing connections. Blockchain security firm CertiK identified a link between the wallet used in this breach and another involved in a previous exploit of the OKX decentralized exchange in December. This connection suggests the possibility of the same individual or group orchestrating both attacks.

Liquidity management protocols, such as the one employed by Concentric, have gained traction in the defi sector. These protocols help in setting price boundaries and managing liquidity pools within decentralized exchanges.

Their rise in popularity can be traced back to the introduction of the concentrated liquidity feature by Uniswap in 2021. This feature enables liquidity providers to define specific price ranges for asset trading, adding complexity to liquidity provision and thereby increasing reliance on management protocols for asset handling.