attack

Euler Finance’s offer to hacker: Keep $20M or face the law

The hacker committed a $196 million flash loan attack on the Ethereum-based lending protocol on March 13.

Ethereum-based noncustodial lending protocol Euler Finance is trying to cut a deal with the exploiter that stole millions from its protocol, demanding the hacker returns 90% of the funds they stole within 24 hours or face legal consequences.

Euler Labs sent its ultimatum to the flash loan attacker who exploited the platform for $196 million by transferring the hacker 0 Ether (ETH) with an attached message on March 14:

“Following up on our message from yesterday. If 90% of the funds are not returned within 24 hours, tomorrow we will launch a $1M reward for information that leads to your arrest and the return of all funds.”

The threat of law enforcement comes as Euler sent the hacker a much more civil message the day before.

“We understand you are responsible for this morning’s attack on the Euler platform,” it read. “We are writing to see whether you would be open to speaking with us about any potential next steps.”

The request for a 90% fund return would see the hacker send back $176.4 million while holding onto the remaining $19.6 million.

However, many observers have noted that the hacker has very little to no incentive to follow through with the deal.

“If I was the hacker I’d simply say ‘to anyone who manages to track me down, I will give you $2 million not to tell Euler,’” one observer said.

“Yeh he has 200 Million they have 2 Million. He wins in a bidding war,” another Twitter user wrote in response.

Euler Labs said it was already working with law enforcement in the United States and the United Kingdom, along with engaging blockchain intelligence platforms Chainalysis, TRM Labs and the broader Ethereum community, to help track down the hacker.

Related: DeFi protocol Platypus suffers $8.5M flash loan attack, suspect identified

The lending platform added it was able to promptly stop the flash loan attack by blocking deposits and the “vulnerable” donation function.

As for the exploited code, the team explained that the vulnerability “was not discovered” in the audit of its smart contract, which had existed on-chain for eight months until bei exploited on March 13.


Cross-chains in the crosshairs: Hacks call for better defense mechanisms

Cryptocurrency security firms, decentralized finance and cross-chain platforms are stressing the importance of improved defense mechanisms after a spate of hacks and exploits targeting the ecosystem.

2022 has been a lucrative year for hackers preying on the nascent Web3 and decentralized finance (DeFi) spaces, with more than $2 billion worth of cryptocurrency fleeced in several high-profile hacks to date. Cross-chain protocols have been particularly hard hit, with Axie Infinity’s $650 million Ronin Bridge hack accounting for a significant portion of stolen funds this year.

The pillaging continued into the second half of 2022 as cross-chain platform Nomad saw $190 million drained from wallets. The Solana ecosystem was the next target, with hackers gaining access to the private keys of some 8000 wallets that resulted in $5 million worth of Solana (SOL) and Solana Program Library (SPL) tokens being pilfered.

deBridge Finance managed to sidestep an attempted phishing attack on Monday, Aug. 8, unpacking the methods used by what the firm suspects are a wide-ranging attack vector used by North Korean Lazarus Group hackers. Just a few days later, Curve Finance suffered an exploit that saw hackers reroute users to a counterfeit webpage that resulted in the theft of $600,000 worth of USD Coin (USDC).

Multiple points of failure

The team at deBridge Finance offered some pertinent insights into the prevalence of these attacks in correspondence with Cointelegraph, given that a number of their team members previously worked for a prominent anti-virus company.

Co-founder Alex Smirnov highlighted the driving factor behind the targeting of cross-chain protocols, given their role as liquidity aggregators that fulfill cross-chain value transfer requests. Most of these protocols look to aggregate as much liquidity as possible through liquidity mining and other incentives, which has inevitably become a honey-pot for nefarious actors:

“By locking a large amount of liquidity and inadvertently providing a diverse set of available attack methods, bridges are making themselves a target for hackers.”

Smirnov added that bridging protocols are middleware that relies on the security models of all the supported blockchains from which they aggregate, which drastically increases the potential attack surface. This alsmakes it possible to perform an attack in one chain to draw liquidity from others.

Related: Is there a secure future for cross-chain bridges? 

Smirnov added that the Web3 and cross-chain space is in a period of nascence, with an iterative process of development seeing teams learn from others’ mistakes. Drawing parallels to the first two years in the DeFi space where exploits were rife, the deBridge co-founder conceded that this was a natural teething process:

“The cross-chain space is extremely young even within the context of Web3, so we’re seeing this same process play out. Cross-chain has tremendous potential and it is inevitable that more capital flows in, and hackers allocate more time and resources to finding attack vectors.”

The Curve Finance DNS hijacking incident also illustrates the variety of attack methods available to nefarious actors. Bitfinex chief technology officer Paolo Ardoino told Cointelegraph the industry needs to be on guard against all security threats:

“This attack demonstrates once again that the ingenuity of hackers presents a near and ever-present danger to our industry. The fact that a hacker is able to change the DNS entry for the protocol, forwarding users to a fake clone and approving a malicious contract says a lot for the vigilance that must be exercised.”

Stemming the tide

With exploits becoming rife, projects will no doubt be considering ways to mitigate these risks. The answer is far from clear-cut, given the array of avenues attackers have at their disposal. Smirnov likes to use a “swiss cheese model” when conceptualizing the security of bridging protocols, with the only way to execute an attack is if a number of “holes” momentarily line up.

“In order to make the level of risk negligible, the size of the hole on each layer should be aimed to be as minimal as possible, and the number of layers should be maximized.”

Again this is a complicated task, given the moving parts involved in cross-chain platforms. Building reliable multilevel security models requires understanding the diversity of risks associated with cross-chain protocols and the risks of supported chains.

The chief threats include vulnerabilities with the consensus algorithm and codebase of supported chains, 51% attacks and blockchain reorganizations. Risks to the validation layers could include the collusion of validators and compromised infrastructure.

Software development risks are also another consideration with vulnerabilities or bugs in smart contracts and bridge validation nodes key areas of concern. Lastly, deBridge notes protocol management risks such as compromised protocol authority keys as another security consideration.

“All these risks are quickly compounded. Projects should take a multi-faceted approach, and in addition to security audits and bug bounty campaigns, lay various security measures and validations into the protocol design itself.”

Social engineering, more commonly referred to as phishing attacks, is another point to consider. While the deBridge team managed to thwart this type of attack, it still remains one of the most prevalent threats to the wider ecosystem. Education and strict internal security policies are vital to avoid falling prey to these cunning attempts to steal credentials and hijack systems.

Yuga Labs warns of ‘persistent threat group’ targeting NFT holders

The warning comes only days after hackers compromised the website of Premint NFT, making off with more than 300 NFTs and $375,000 of Ether.

Bored Ape Yacht Club (BAYC) creator Yuga Labs has warned there may soon be a “coordinated attack” targeting multiple nonfungible token (NFT) communities.

The NFT company told its Twitter followers on Tuesday that its security team has been tracking a “persistent threat group” targeting the NFT community through compromised social media accounts, urging followers to be on the lookout.

This isn’t the first time the company has warned its community of a possible social media-led attack by hackers.

Not the first, not the last

In June, Gordon Goner, pseudonymous co-founder of Yuga Labs, issued a warning of a possible incoming attack on its Twitter social media accounts.

Soon after the warning, Twitter officials began monitoring activity on the accounts and fortified their existing security. Goner told investors that the company would never conduct surprise mints, a popular method attackers use to lure victims.

The month also saw two official Discord groups linked to BAYC and OtherSide NFTs were compromised, allowing scammers to share various phishing links into the official BAYC, Mutant Ape Yacht Club and OtherSide groups on discord.

Cointelegraph asked Yuga Labs for more details about the “persistent threat group” and the potential attack but did not receive an immediate response.

Premint NFT website hacked

Yuga Labs’ new warning comes only days after threat actors hacked popular NFT platform Premint NFT, stealing approximately 314 NFTs and $375,000 in Ether (ETH), making it one of the largest NFT hacks in 2022.

Premint is an NFT whitelisting service that helps NFT artists access a large number of verified NFT collectors quickly, whitelisting them for new NFT projects. The NFT services platform touts more than 12,000 NFT projects and a database of more than 2.4 million collectors.

According to blockchain security firm Certik, the thefts occurred on Sunday after hackers inserted malicious code into Premint’s website.

The code created a pop-up that prompted users to verify their wallet ownership but instead gave hackers the permissions necessary for them to transfer NFTs from their victim’s wallets.

Related: NFT, DeFi and crypto hacks abound — Here’s how to double up on wallet security

Six wallets have been identified as falling victim to the attack, containing NFTs including Bored Ape Yacht Club, Otherside, Oddities and Goblintown.

Premint said it would continue to “dig into the incident” and reminded users that they would never be asked to sign any kind of transaction on the platform.

The platform has also changed in light of the attack, allowing users to log in without their wallets — which they claim will be safer and more convenient.

More than $4.7M stolen in Uniswap fake token phishing attack

Some initially interpreted the hack as an exploit of the Uniswap v3 protocol, but it was quickly clarified as the result of a phishing campaign.

A sophisticated phishing campaign targeting liquidity providers (LPs) of the Uniswap v3 protocol has seen attackers make off with at least $4.7 million worth of Ether (ETH). However, the community is reporting the losses could be even greater. 

MetaMask security researcher Harry Denley was one of the first to raise the alarm bells of the attack, telling his 13,000 Twitter followers on Monday that 73,399 addresses had been sent malicious ERC-20 tokens to steal their assets.

At least $4.7 million in ETH has been lost in the attack, according to a Twitter post from Binance CEO Changpeng “CZ” Zhao. However, there are also reports among the crypto community that there may be more significant losses from the incursion.

Prominent Crypto Twitter user 0xSisyphus noted on Monday that a “large LP” with around 16,140 ETH, worth $17.5 million, may have also been phished.

How it works

According to Denley, the phishing attack works by sending unsuspecting users a “malicious token” called “UniswapLP” — made to appear as coming from the legitimate “Uniswap V3: Positions NFT” contract by manipulating the “From” field in the blockchain transaction explorer.

Users curious about their new tokens would be directed to a website purporting to allow them to swap their new tokens for Uniswap (UNI), worth $5.34 each at the time of writing.

The website would instead send the users’ address and browser client info to the attackers’ command center, which would also attempt to drain cryptocurrency from their wallets.

A Reddit post also explaining the attack noted that the attackers had stolen native tokens such as Ether, ERC-20 tokens and nonfungible tokens (NFTs) (namely Uniswap LP positions) from victims.

On Wednesday, Uniswap Labs added its own detailed explanation on Twitter about how the scam worked, emphasizing that the incident was part of a phishing scam, not an exploit. 

Not an exploit

Binance’s CEO Zhao created some waves in the crypto markets when he first sounded alarms about the attack, calling it a “potential exploit” of the Uniswap protocol on the Ethereum blockchain.

Related: Finance Redefined: Uniswap goes against the bearish trends, overtakes Ethereum

Zhao clarified soon after the post with another update, sharing a conversation with the Uniswap team, who noted the attack was part of a phishing attack rather than any issue with the protocol.

CZ’s initial alarming comments coincided with a sharp drop in the Uniswap price, which fell to a 24-hour low of $5.34. The price of UNI has since recovered following the clarification to $5.48 at the time of writing but is still down 11% in 24 hours and is 87.8% down from its all-time-high.

Update: Added the Twitter thread from Uniswap Labs explaining how the phishing scam works.