Liquidity manager app Concentric has been exploited on Arbitrum, according to the protocol’s official X account. The attacker used a “social engineering attack” to compromise the private key for the protocol’s deployer account, which was then used to “upgrade the vaults, mint new LP tokens, and subsequently drain the vaults of their assets,” the team stated.

Concentric is urging users to revoke approvals from all vault addresses, which they list in the protocol’s documents.

According to a report from blockchain security platform CertiK, over $1.8 million has been lost so far in the attack. The attacking wallet is “linked to” the wallet that performed the OKX decentralized exchange exploit on Dec. 13, CertiK stated, implying that both attacks may have been carried out by the same person or group.

The exploiter wallet called the adminMint function on a Concentric contract, minting 0.001 CONE-1 tokens. They then called “burn” to redeem the CONE-1 tokens for funds from the AlgebraPool. This process was repeated several times, allowing the attacker to obtain multiple ERC-20 tokens, which were subsequently swapped for Ether (ETH).

The Concentric team said they have initiated an investigation and will issue a post-mortem report as soon as possible. In the report, the team will provide a plan to address the vulnerability. “Our team is fully committed to resolving this issue and restoring the integrity of the Concentric protocol,” Concentric stated.

Related: CoinEx hack: Compromised private keys led to $70M theft

Liquidity management protocols are used to set minimum and maximum prices and to rebalance liquidity pools in a decentralized exchange (DEX). They began to grow in popularity after Uniswap released its “concentrated liquidity” feature in 2021, which allowed liquidity providers to set a minimum and maximum price at which their assets could be traded. This made liquidity provision more complex, leading some users to employ management protocols to handle their assets.

Another liquidity manager, Gamma Protocol, was attacked on Jan. 4 and drained of nearly $500,000 via a smart contract vulnerability. The two attacks employed different methods and do not appear to be related.