Beluga Dex is a fork of Wombat / Platypus that, as early of October 2023, was running on Arbitrum and had above USD300k of TVL. The protocol had three pools:
- a USDC/USDT/DAI pool
- an overnight pool DAI+/USD+/USDC
- a LST pool
Around July 2023, the team started to disappear from all social media (Discord, Telegram)
Exploit #1:
On October 13th, the USDC/USDT/DAI “Beluga Dex” protocol was exploited for USD175k worth of stables (USDT, USDC, DAI). The dev team did not react or communicate.
https://arbiscan.io/tx/0x57c96e320a3b885fabd95dd476d43c0d0fb10500d940d9594d4a458471a87abe
However, right after the hack was made public, the deployer froze the protocol, including the Overnight and LST pools that were NOT exploited. There is very strong belief, supported by on-chain behaviour, that the protocol was hacked by the developing team themselves, but didn’t drain all pools to make it look like the hack was coming from a third party.
Exploit #2:
After this, the contracts have been updated by the deployer, creating a fishing for all assets that had been previously approved by the users.
For instant the modified contract “fished” this wallet for circa 20 wstETH in early February 2024 as seen on this transaction:
https://arbiscan.io/tx/0xe317b70ed1c43bbcb2cfd4f574605975850b884e8a6e8c9fb741e5e8da617151
What is interesting is that this hacker wallet has been funded with ETH tokens to execute the contracts by this wallet:
https://arbiscan.io/address/0xaec726ffd9fd3fbd2a08a452125e4caeb5d0c4d2
This wallet itself has been funded ETH and had multiple interaction with this wallet https://arbiscan.io/address/0x3842f081d592ee512cd5a4556a64fc3bca666e8c. Below are a couple of transactions between both wallet:
- https://arbiscan.io/tx/0xa593b1c1d7bd55ac1cfa386200c753e1d01c7a39af12de993d2fbc6c62eafce1
- https://arbiscan.io/tx/0x2c97ec4e22c8c9eec134e57a87f87a707299b1b983356b9c596e81d213f2017d
- https://arbiscan.io/tx/0x13b0ce7a94bfb3902f43b20fbf47e965462da6fd586519c2684bc71ab6668b33
This particular wallet has laundered money with with Tornado Cash, has been sending a significant amount Beluga protocol $BELA Tokens ($379k worth of transactions) in and out, and given the volume of exchanges of BELA tokens, seems to one of the dev wallet as being associated with the contract deployer of the protocol.
Some of the proceeds generated by this very likely “dev wallet” have been sent to this wallet https://arbiscan.io/address/0xb23eb0e1b93551e1c652351cddac51c3ceae3e28 and then sent to Binance over smaller transactions as USDC or USDT such as:
- https://arbiscan.io/tx/0xe79273b16bd442975b035fdcbb70e29a2f147f2ccfc18c9f5a7b4431e2a27354
- https://arbiscan.io/tx/0x965be2ac4794e260d3a58c8a7a94ce0d9a4a9e13f905510246221f42976e6045