Another Crypto Bridge Collapses as DeFi Lender on Optimism Suffers $7 Million Attack

DeFi lender Exactly logo with a laptop and a hacker in the background.

Continuing the trend, another decentralized finance (DeFi) protocol bridge has been hacked, according to the project and various security firms.

Exactly, a credit market on the Optimism network, said early Friday that it was “actively investigating a security issue within our protocol.” It added that the protocol was temporarily paused, but users could still withdraw assets.

Security firm PeckShield said on Twitter that it had “detected an ongoing attack.” Furthermore, blockchain security firm De.Fi said on Twitter that hackers made away with 4,323.6 Ethereum—or $7.2 million worth. De.Fi initially suspected that upwards of $12 million worth of ETH was swiped, but then updated with revised data.

Hackers were able to exploit a vulnerability in Exactly’s smart contracts to take the ETH, according to De.Fi. Optimism is an Ethereum scaling network built to enable faster and cheaper transactions than Ethereum’s own mainnet.

Exactly held over $36 million in total value locked (TVL) at the time of the hack, DeFi Llama data shows, but this figure has dropped to $10 million.

Exactly did not immediately respond to Decrypt’s request for comment.

Exploits like this one are increasingly common in the DeFi space. The crypto sphere which aims to replace traditional financial services like borrowing and lending.

Protocols like Exactly are relatively new and experimental, and therefore sometimes have vulnerabilities that hackers can take advantage of through exploits. Last year was “the biggest year ever for hacking” in the crypto space. According to blockchain data firm Chainalysis, and many of the attacks happened in the DeFi world.

Bridges, or protocols that facilitate the exchange of different cryptocurrencies across multiple blockchains, are particularly vulnerable to hacks. This is in part due to the sheer amount of liquidity available: tokens are frozen on one side of the blockchain and then unfrozen from the other side, meaning they’re locked in smart contracts in the middle. Bridges also provide another attack vector that may not be as thoroughly tested as the blockchains they’re connected to.

Last year, hackers hit popular bridge Wormhole with an exploit and got away with $326 million worth of Wrapped Ethereum. And in one of the biggest crypto hacks of all time, thieves in March 2022 managed to attack NFT-powered play-to-earn game Axie Infinity, taking an estimated $552 million worth of cryptocurrency from the bridge connecting its Ronin sidechain to Ethereum.