Stablecoin protocol Seneca has offered a 20% bounty to the exploiter who gained access to at least $6.4 million in digital assets after exploiting an approval mechanism bug in the protocol’s smart contract. 

On Feb. 28, multiple blockchain security firms flagged the exploit on the stablecoin protocol. Companies like CertiK warned users about the exploit, urging them to revoke approvals from an address on the Ethereum and Arbitrum networks. Initial estimates of the losses were at $3 million, but it was later found that over 1,900 Ether ( ETH ), worth about $6.4 million, were taken from the exploit.

Seneca stablecoin hacker returns stolen funds after $6.4M exploit image 0 Seneca attacker’s wallet showing about $3 million in Ether. Source: CertiK

Security analysts at CertiK explained that the exploit happened due to a critical “call” vulnerability in the protocol’s smart contract. This vulnerability allowed the attacker to perform external calls to any address.

In addition, the project’s contracts did not have a code that could let the team do a “pause” on it. Because of this, users have to revoke permissions.

Related: Shido token plummets 94% as exploiter drains Ethereum staking contract

Seneca said it is  working with specialists to investigate what happened. It also offered a $1.2 million bounty for the return of the stolen funds. In an on-chain message on Feb. 29, Seneca asked the hacker to return 80% of the stolen funds to an Ethereum address, allowing the hacker to keep 20%.

Seneca stablecoin hacker returns stolen funds after $6.4M exploit image 1 Seneca’s on-chain message to the exploiter. Source: Seneca

Within the message, Seneca said it is collaborating with security providers and law enforcement to trace the funds. It urged the hacker to return the funds to avoid legal consequences. “Acting promptly is crucial, so we kindly request that you return the funds as soon as possible to avoid any further legal action,” it wrote.

Hours after Seneca’s message, the hacker  returned about 1,537 ETH, worth around $5.3 million, to the wallet address Seneca specified. The exploiter kept 300 ETH, worth around $1 million, and accepted the 20% bounty offered by Seneca. The exploiter then transferred the ETH to two different addresses.

Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks