August 22, 2023

Analysis of Exactly Protocol’s $7.3M Exploit: How the Permit Check is Bypassed

On August 18, 2023, According to Beosin EagleEye monitoring, the Exactly Protocol on Optimism was attacked for $7.3 million.


According to Exactly Protocol, they were “trying to communicate with the attackers to return the stolen assets. Police reports have already been filed”. On Aug 20, the protocol was unpaused, users were able to perform all operations, and no liquidations have occurred.


Here’s the analysis of the exploit.


Related Info

● Attack Txs




● Attacker’s address


● Attack contracts



● Victim contracts


Vulnerability Analysis

Multiple market address parameters in the vulnerable contract could be manipulated. The attacker passed in a malicious market contract address, bypassing the permit check, and executed a malicious deposit function to steal the user's USDC collateral and liquidate assets, ultimately achieving profit for the attacker.

Attack Flow

Take the tx 0x3d6367…520e as an example.


Main Steps

Bypass permit check to change _msgSender to victim -> Re-enter to steal victim’s assets -> Liquidate victim’s assets


Attack Preparation Phase:

The attacker created multiple malicious Market contracts.

Attack Phase

1. The attacker calls the leverage function of the vulnerable contract and passes in a forged market contract address. Since the market address is not verified, the permit check is bypassed and _msgSender is changed to the victim's address.

2. The leverage function will continue to call the deposit function in the malicious market contract, executing the attacker's malicious code.

3.The malicious code in the deposit function will first create a malicious V3 token/USDC pool, and then re-enter the crossDeleverage function in the vulnerable contract. Since both marketIn and marketOut are controllable, it results in the V3 pool calculated by the crossDeleverage function becoming the V3 pool created by the attacker.

4.At this point, since _msgSender has been modified to the victim's address, the crossDeleverage function further calls the swap function of the V3 pool created by the attacker as a flash loan, and transfers the victim's funds into the V3 pool in the uniswapV3callback callback function.

5.The attacker removes liquidity to drain the victim's funds from the V3 pool.

6.Since the victim's deposited funds were transferred away, meeting the liquidation criteria, the attacker further liquidates the victim's position to gain more attack proceeds.

Fund Flow

As of this writing, the stolen funds have been bridged cross-chain to Ethereum via the Optimism bridge and Across Protocol.


It is recommended that contract addresses used as LP tokens be whitelisted to prevent malicious manipulation. Currently, Beosin has conducted security audits for multiple projects on Optimism such as DIPX, so Beosin recommends that projects undergo comprehensive security audits by professional security audit firms before launch to mitigate security risks.

About Beosin

Beosin is a leading global blockchain security company co-founded by several professors from world-renowned universities and there are 40+ PhDs in the team, and set up offices in 10+ cities including Hong Kong, Singapore, Tokyo and Miami. With the mission of “Securing Blockchain Ecosystem”, Beosin provides “All-in-one” blockchain security solution covering Smart Contract Audit, Risk Monitoring & Alert, KYT/AML, and Crypto Tracing. Beosin has already audited more than 3000 smart contracts including famous Web3 projects PancakeSwap, Uniswap, DAI, OKSwap and all of them are monitored by Beosin EagleEye. The KYT AML are serving 100+ institutions including Binance.


If you need any blockchain security services, welcome to contact us:

Official Website Beosin EagleEye Twitter Telegram Linkedin

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Beosin Invited to Conduct Blockchain Security and Regulatory Training for MAS

    August 21, 2023

  • exposes 100,000+ addresses related info, how to protect user privacy of social Dapps

    August 24, 2023

  • May Bali take its place in the Web3 boom in Southeast Asia?

    August 24, 2023

  • Base sets off Onchain Summer. What opportunities and risks are there?

    August 30, 2023

Join the community to discuss.