According to Cointelegraph: The hacker who exploited a bug in Seneca stablecoin protocol's smart contract and stole roughly $6.4 million in Ethereum (ETH) has returned over $5 million worth of the pilfered funds. This follows Seneca's offer of a 20% bounty to the cybercriminal.
Multiple blockchain security companies, including CertiK, flagged the exploit on Seneca on Feb. 28. Initial estimates placed the stolen amount at $3 million but revised figures noted the theft of over 1,900 ETH, valued approximately at $6.4 million. The breach happened due to a crucial "call" vulnerability in the protocol's smart contract, which let the attacker perform external calls to any address.
The project's contracts lacked a code that would enable a "pause," meaning users had to revoke permissions manually. Seneca reported that it was collaborating with specialists to probe the incident and stated that it had awarded a $1.2 million bounty if the stolen funds were returned.
In an on-chain message dated Feb. 29, Seneca requested the hacker to send back 80% of the stolen funds to a prescribed Ethereum address. The blackmailer would then be able to keep the remaining 20%. Seneca warned that swift action was crucial to avoid additional legal action.
Hours following Seneca's plea, the hacker returned around 1,537 ETH (approximately $5.3 million) to the specified address, thereby accepting the 20% bounty offer. They kept 300 ETH, roughly amounting to $1 million, and then moved the ETH to two distinct addresses.