State of Web3 Security: Part 1, Attacks

State of Web3 Security: Part 1, Attacks
State of Web3 Security – Part 1: Attacks

By Stelo Labs, Eli Qian

This is Part 1 of a two-part report on the State of Web3 Security. Part 2 on security tooling will be published next week.

The exuberance of the 2021 crypto market laid the groundwork for a highly volatile 2022. The past 18 months or so have, without a doubt, been tumultuous. Rising asset values and crypto adoption led to more opportunities for hackers and scammers to beg, borrow, and steal other people’s crypto.

Earlier this year, security was brought to the forefront yet again as prominent NFT founder and collector Kevin Rose had 35 NFTs worth over $1.4m stolen from him.

Some trends we observed:

  1. The professionalization of crypto scams
  2. The rise of state-sponsored hacking
  3. Renewed mistrust in centralized exchanges

Security of crypto assets has been an issue since the origins of crypto.

In the Bitcoin-only era from 2009 to 2014, the majority of the concern was about private key theft and loss. We all know the stories of people forgetting the password to their computer and losing millions. At the same time, crypto scams began to emerge that looked very similar to to the basic “Western Union” scams of web2.

As crypto has evolved, the concerns have shifted from seed phrase security to smart contract and bridge exploits, supply chain attacks, and sophisticated phishing attacks targeting users. The invention of Ethereum and the rise of smart contracts led to an explosion in the surface area for attacks, hacks, and exploits. Since the Ethereum Virtual Machine (EVM) is Turing complete, anything that can be built in software can be built on Ethereum. While the opportunities have expanded, so have the number of vulnerabilities available to exploit.

This report explains some of the top attacks, trends, and tooling from 2022 (and beyond) with the goal of bringing increased awareness and understanding to the web3 security landscape. Part 1 is about the attacks from the past 18 months and in part 2 we'll dive into the tooling that is being built to keep people safe.

Part 1: Attacks

2021 was a record-setting year for crypto scams and hacks, but 2022 has managed to top it. The Wall Street Journal reported that crypto fraud jumped to $2.57 billion in 2022, up from $907 million in 2021. Attackers and scammers have continued to iterate, with an emphasis on more technically sophisticated attacks.

Bridges have been a hot target as of late, with over a billion dollars lost to bridge hacks alone. In many cases, attackers used smart contract exploits to attack bridges in highly technical hacks.

Even phishing, usually seen as less technically sophisticated, got more advanced. It isn’t “Nigerian prince” scams anymore, there are people making a living as criminals and investing serious time and effort into hacks. Scammers turned to techniques such as DNS attacks —compromising the domain name server of websites—to find new ways to target unsuspecting users. Many of the 2022’s top attacks were expertly socially engineered and targeted some of the biggest names in crypto.

Attacks also became more operationally sophisticated. A major trend in 2022 was the professionalization of crypto scams. The rise of “phishing-as-a-service” allowed anyone to become a scammer with mass-produced templates and methods. The Seaport-drainer and Monkey Drainer became infamous in 2022 for their widespread use and effectiveness of these techniques.

State-sponsored hacking made an appearance as well, taking attacks to the next level with better organized teams and greater resources to pull from. Most Notably, North Korea’s Lazarus Group was behind some of the highest profile hacks in crypto such as the Ronin Bridge hack that stole over half a billion dollars.

The involvement of state-sponsored groups has profound implications for everyday users. North Korea was suspected of funneling stolen funds through Tornado Cash, a crypto mixer that can be used to launder cryptocurrency. In response, the US government got involved and sanctioned Tornado Cash.

The last 18 months have been anything but a quiet year in crypto security. We've seen a fresh wave of attacks and a host of new players in the security ecosystem. This is everything you need to know about what went down.


Bridges

What is a bridge?

The crypto ecosystem has many blockchains. Popular ones include Ethereum and Solana, but there are dozens of others that have their own native assets, smart contracts, and NFTs. Unfortunately,  you cannot send simply send Bitcoin to an Ethereum address.

Bridges are the solution to this compatibility problem. When a user wants to transfer assets from one chain to another, the bridge will “wrap” the asset. The bridge accepts one token and creates a wrapped version of the token that is compatible on the new chain.

Bridge security

The security of bridges has long been questioned. Vitalik Buterin, founder of Ethereum, described his prediction for the future as multi-chain but not cross-chain. While Vitalik’s argument centered around “anti-network” effects—where non-native assets could be at risk if other networks are attacked—2022 saw many bridges fall victim to technical exploits, highlighting another vulnerability of bridges.

At the start of 2022, there was over $20B in TVL across Ethereum bridges. The technical complexity, high volume, and popularity of bridges made them an appealing target for attackers. The exploits in 2022 used a range of methods—from server vulnerabilities to smart contract exploits.


Wormhole

When: Feb 2022 | Amount: $320,000,000 | Surface: Bridge | Mechanism: Smart contract exploit

What is Wormhole?

Wormhole is a message-passing protocol designed to allow different blockchains to communicate with each other. The Wormhole Portal Bridge is a token bridge that enables the transfer of assets across blockchains. Typically, a token bridge functions by accepting funds in one type of asset, locking the funds as collateral, and issuing an equal amount of a parallel asset to the user. This way, all assets are backed 1-to-1 and can be exchanged at any time. In February of 2022, a hacker was able to mint 120,000 wETH without depositing the requisite collateral.

Deep dive

How did the attacker accomplish this? The process is a bit complex, so let’s break it down:

To mint tokens, the Wormhole contract uses the complete_wrapped function. One of the parameters of the complete_wrapped function is transfer_message, a message signed by Wormhole guardians (validators) that specifies which token and how much to mint.

To create a transfer_message, the post_vaa function is required. post_vaa checks if a message is valid, aka if it was actually signed by the guardians. If a message is valid, a VAA (verified action approval) is generated. However, post_vaa doesn’t do the verification itself. Instead, it outsources this to a verify_signatures function which further outsources verification to the Secp256k1 program.

This is where the critical vulnerability was. The Secp256k1 program was using deprecated code that didn’t check whether signature verification was from a whitelisted/system address. This allowed the hacker to spoof their own system address and bypass the verification process. The hacker was then able to generate a valid VAA, use the VAA to create a transfer message, and use the transfer message to mint 120,000 wETH.

Interestingly, a commit replacing the exploited function with a function that checks against system addresses was pushed to GitHub just hours ahead of the attack. Hackers struck in the brief time between committing the new version and deploying it—suggesting they may have been monitoring the repo for potential vulnerabilities.

Aftermath and impact

Shortly after the hack, Jump Crypto—Wormhole’s parent company—deposited 120,000 ETH in order to close the gap in assets caused by the exploit. This was crucial to avoiding more widespread damage. Without Jump Crypto’s cash to plug the hole in the balance sheet, hundreds of millions of dollars worth of wETH would be unbacked. This might have incentivized a cascade of withdrawals and eventually insolvency. Jump was willing to provide the capital to keep the bridge functioning because they believe “in a multichain future and that Wormhole is essential infrastructure.”


Ronin

When: Mar 2022 | Amount: $650,000,000 | Surface: Bridge | Mechanism: Off-chain exploit

What is Ronin?

The Ronin Network is an Ethereum sidechain made for games. Built by Sky Mavis, the creator of Axie Infinity, the bridge serves as the network for Axie Infinity, and allows users to deposit and withdraw assets to and from the Ronin Network.

On March 23, 2022, the Ronin Bridge was exploited for over half a billion dollars. Chaos ensued, and it took over three months for the bridge to reopen.

Deep dive

The exploit wasn’t discovered until a week after it occurred when a user found they were unable to withdraw funds. So how did someone steal hundreds of millions of dollars from one of the most popular blockchain games?

The Ronin Bridge hack was not a result of any smart contract vulnerability. Rather, the hack was the result of compromised private keys. The attackers, later determined to be the North Korean Lazarus Group (responsible for the 2014 Sony hack), were able to access the private keys of Ronin validators and approve transactions sending them millions of dollars of assets.

An important note: prior to the attack, the Ronin chain operated using nine validator nodes, with approval required from five of the nine validators for a transaction to be executed. This will come into play shortly.

The hackers accessed Sky Mavis’s systems via an off-chain exploit and gained control of the four nodes operated by Sky Mavis. On its own, this is not enough to unilaterally execute a transaction. Where did the fifth and final node come from?

Back in November 2021, Sky Mavis requested help from Axie DAO to deal with high transaction volume. As part of this, Axie DAO allowlisted Sky Mavis to sign transactions. Critically, this access was never revoked. With access to Sky Mavis systems, the hackers found the signature of the Axie DAO validator and thus controlled five of the nine validators—enough to compromise the bridge. With this power, the attackers stole 173,600 ETH and 25.5 million USDC from the bridge in 2 transactions. Over the few days, the attacker transferred the stolen assets around, using Tornado Cash to launder the funds.

Aftermath and impact

Only a week later did the Ronin Network learn of and make the attack public. When the attack was discovered, all Sky Mavis validators were replaced and the network expedited plans to add new validators. The validator threshold was also increased from five to eight. Over the course of three months following the hack, the Ronin Network underwent significant audits and upgrades, culminating in a reopening of the bridge on June 28.

Sky Mavis was able to raise a new round of funding—$150 million led by Binance—which ensured that all users who lost money were reimbursed.

The US government also got involved with the FBI investigating and attributing the attack to the North Korean Lazarus Group. The US Treasury Department took action to sanction addresses that received stolen funds.


Nomad

When: Aug 2022 | Amount: $190,000,000 | Surface: Bridge | Mechanism: Smart contract exploit

What is Nomad?

Nomad is a cross-chain messaging protocol that uses an optimistic verification mechanism. This means that the verification process assumes that data is valid, and requires honest parties to submit fraud proofs to prove otherwise. The Nomad Bridge allows for the transfer of assets across networks using this method of verification.

Deep dive

In August 2022, we saw nearly $200 million stolen from the Nomad Bridge. Despite the massive figure, it was only the third largest bridge hack of 2022, though possibly the most unusual. All of crypto Twitter watched in real time as millions of dollars of assets left Nomad across thousands of transactions. @samczsun on Twitter described the frenzy as a “send 0.01 WBTC, get 100 WBTC promotion.”

Obviously, that’s not what happened. Instead, a bug in Nomad’s smart contracts was found that allowed unproved messages to be processed. The key vulnerability was in the Replica contract—the contract intended to handle processing and validating claims (or messages) on bridged assets.

Within the Replica contract, our attention turns to the process() function which is responsible for executing messages. As part of this, process() does checks to see if a message is valid and can be executed.

Prior to the hack, Nomad developers pushed some updates that changed the way messages were checked. Previously, messages could be mapped to three values: 0 for invalid, 1 for valid/proven, and 2 for messages that have already been processed. Only messages with value 1 are able to be executed.

However, with the update, Nomad developers had to account for legacy messages (ones that are mapped to 0, 1, or 2). The beginning of the problem lies in the control flow of acceptableRoot, the function in process() responsible for checking if a message is valid.

acceptableRoot first checks if a legacy message is 1 (valid) or 2 (processed). However, if the legacy message is 0 (invalid), the message flows down to the non-legacy logic. Critically, when a zero value is passed through the new, non-legacy logic, it is a valid value!. This is very bad—it means any message that doesn’t already exist (i.e. doesn't have a value of 1 or 2) will be valid and executed, essentially bypassing the whole check.

But why is zero a valid value? Because in the update, Nomad developers set the default value for a trusted root to be 0x00. This, combined with the control flow, meant that if a message was passed through that didn’t already exist, it would automatically be approved.

Hackers, and likely many users, quickly exploited this by submitting old transactions with the recipient address changed to their own. In a matter of hours, the bridge was drained by thousands of these transactions.

Aftermath and impact

Following the attack, activity on the Nomad Bridge virtually ceased. Nomad released a three phase recovery plan: funds recovery, bridge upgrades, and bridge restart and recovered funds distribution.

For the funds recovery, Nomad offered a white hat agreement to all hackers, allowing them to keep up to 10% of stolen funds in exchange for no legal action against them. So far, however, only about $35 million, or 20% of the stolen funds, has been returned.

In December 2022, the Nomad Bridge was relaunched with upgraded smart contracts, KYC verification, and a process for users to claim back some of their lost stolen funds.


Binance

When: Oct 2022 | Amount: $570,000,000 | Surface: Bridge | Mechanism: Smart contract exploit

What is Binance?

Binance is the world’s largest crypto exchange by volume, and the developers of the decentralized blockchain Binance (BNB) Chain. Binance Chain has some confusing naming, but here’s a brief overview: previously Binance built the Binance Chain, which was designed for token transfers and exchanges but not for general smart contract development. Later, Binance introduced the Binance Smart Chain (BSC) which is EVM compatible. Then there’s the Binance Bridge, which is used to convert tokens between blockchains, and supports assets on both the Binance Chain and Binance Smart Chain.

Deep dive

A proof is required to withdraw money from the Binance Bridge. Somehow, the attacker was able to submit a forged proof and have the bridge send them free BNB. To do so, the attacker exploited an IAVL proof bug in the Tendermint Core used by the Binance Chain and other projects.

Normally, to verify a transaction, the proof must provide a root hash equal to the root hash on the chain. The vulnerability made it possible to include a malicious transaction while still returning the correct root hash. Using this, the attacker sent themselves 2 million BNB.

Aftermath and impact

Following their payday, the attacker deposited 900K BNB into Venus—a DeFi money market protocol—as collateral and used it to borrow various stablecoins. Shortly after the hack, the BSC Chain was temporarily paused, and the attacker was only able to make off with around $100 million of the initial $500+ million haul.

Binance also introduced four governance proposals for the community in regards with what to do with the hacker’s frozen funds, whether to autoburn the remaining hacked funds, and two proposals related to bug bounties.


Phishing

What is phishing?

Phishing is a form of social engineering designed to trick people into giving away sensitive information or perform some malicious action. In the context of crypto, this usually means revealing private keys or signing malicious messages and transactions.

Phishing in 2022

A major trend in 2022 was the rise of “phishing-as-a-service” which allowed anyone to become a scammer with mass produced and distributed templates and methods. Today, it’s possible to purchase a variety of drainer scripts and website templates to become a scammer. Attackers also have clones for compromised projects and websites, allowing scammers to quickly take advantage of exploits.

Even as the crypto and white-hat communities evolve and adapt, the phishing community is doing the same. Attacks are becoming more widespread, sophisticated, and ambitious. Some well-known names and projects were targets of phishing attacks including Bored Ape Yacht Club, Kevin Rose, and Seth Green.


Monkey Drainer

When: Oct/Nov 2022 | Amount: $1,000,000+ | Surface: End user wallet | Mechanism: Phishing

Who is Monkey Drainer?

Monkey Drainer is a pseudonymous scammer who has stolen upwards of a million dollars worth of NFTs, including a number of high-profile hauls in 2022: 700 ETH in just 24 hours in October, and another 500 ETH worth of NFTs in November.

Typically, Monkey Drainer’s scams take the form of a fake mint site promoted on Twitter and other platforms. When users connect their wallets to the fake page, it prompts them to set approval for all and steals their tokens.

Deep dive

Monkey Drainer is part of a larger trend in 2022 where phishing became professionalized and turned into a commodity. According to @ZachXBT, Monkey Drainer is selling their drainer contract to aspiring scammers in exchange for a cut of any stolen assets. And it’s not just Monkey Drainer—there are countless other scammers offering smart contract templates to drain users’ wallets. Some even offer end-to-end white glove service, helping with everything from hosting to scripting.

Scams like these are becoming more common, but because they all look similar, they’re easy to identify and avoid. Specifically, they all target end users’ wallets with a couple variations of transaction attacks:

setApprovalForAll

The setApprovalForAll function gives a smart contract permission to transfer NFTs from a wallet at a later time. Allowing setApprovalForAll is generally safe when interacting with a trusted party such as a reputable NFT marketplace. The danger comes from giving approval to unknown and untrusted third parties, like what many phishing scams try to get users to do.

Seaport signature

The Seaport contract was developed by OpenSea to facilitate NFT transactions. Scammers have exploited the transaction process by getting users to sign messages that list their NFTs for extremely low prices, or no money at all. These scams work because wallets display the messages in a format that is indecipherable to most users.

Aftermath and impact

In March 2023, Monkey Drainer announced they are shutting down. In a message to their Telegram channel, the person or people behind Monkey Drainer wrote that they would be moving on to "something better than ever before."

However, before retiring, Monkey Drainer recommended an alternative to themselves—Venom Drainer—so it's unlikely the trend of phishing templates and services is ending.

In all of these scams, attackers rely on users to sign transactions and messages that they don’t fully understand. Fortunately, the underlying code can be viewed and audited by many web3 security tools used to interpret complex and often unreadable transactions, and warn the user if anything suspicious is happening. Moving forward, security-focused tools will likely play a much larger role in how users navigate web3.


Bored Ape Yacht Club Instagram & Discord

When: Apr/Jun 2022 | Amount: $3,360,000 | Surface: End user wallet | Mechanism: Phishing

What is Bored Ape Yacht Club?

Bored Ape Yacht Club (BAYC)—the sought-after NFT collection developed by Yuga Labs—has become a cultural icon, owned by crypto enthusiasts and celebrities alike, including Justin Bieber, Serena Williams, and Jimmy Fallon. BAYC is also one of the most valuable NFT collections, with Apes routinely being sold for $100,000 and more. A side effect of BAYC’s popularity is that it has become the target of sophisticated social engineering attacks and a handful of high-profile heists, including an Ape phished out of Seth Green's control last May.

Deep dive

Like many NFT communities, BAYC uses Instagram, Twitter, and Discord as hubs for communication among Ape holders and the project’s founders. By hacking these official accounts and communication channels, attackers could direct BAYC owners to malicious (but seemingly legitimate) pages and steal their NFTs.

In April, the official Bored Ape Instagram account was hacked and posted links to phishing sites featuring a new mint. Once a user connected their wallet, they were prompted to sign a setApprovalForAll transaction and the contract would steal their Apes. Shortly after, the BAYC Twitter account posted a notice disclosing the hack, but not before a handful of users fell victim to the scam. All in all, over 100 NFTs were stolen including four Apes.

Later in June, the BAYC Discord was hacked (via the BAYC community manager’s compromised account) and the attackers implemented a similar scam, posting links to fake phishing pages.

Aftermath and impact

The BAYC hacks are part of a 2022 trend of scammers using more sophisticated levels of social engineering to phish users. In the past year, scammers have compromised official communications channels through hacking accounts, like in the case of BAYC, but also through methods such as DNS attacks. In both cases, it can be difficult for users to tell they are being phished because the information is (seemingly) coming from a trustworthy source.


Seth Green

When: May 2022 | Amount: $100,000 | Surface: End user wallet | Mechanism: Phishing

What happened to Seth Green?

Prior to the phishing incident, Family Guy actor and producer Seth Green was working on a new series, White Horse Tavern, that would star Seth Green’s Bored Ape as the main character. Unfortunately, in May 2022, Green shared on Twitter that he had been phished and lost four NFTs including the ape he intended to feature in his show.

NFT copyright

This incident raised some questions around the copyright law and whether Green would be able to continue developing a show around an NFT he no longer owned. BAYC was one of the first NFT collections to give owners full copyright control over their Apes, which enabled Ape holders to do everything from sell merch to create TV shows starring their Ape. Green threatened to sue the person who bought his stolen Ape. However, the two reached an agreement and Green ended up repurchasing his ape, though for almost $100,000 more than he originally paid for it.


Bonus: Kevin Rose

When: Jan 2023 | Amount: $1,400,000 | Surface: End user wallet | Mechanism: Phishing

Who is Kevin Rose?

Kevin Rose is best known for previously founding the social news site, Digg, as well as the intermittent-fasting app, Zero. Kevin is also the CEO and founder of PROOF, the company behind the Moonbirds NFT project. Kevin is a pioneer in the web3 space, and by all metrics, a crypto power user. His recent phishing incident shows that even the most experienced users can fall victim to scams.

What happened?

Early in 2023, Kevin Rose was phished and lost over 35 NFTs worth more than $1.4 million. Kevin was a victim of a Seaport signature attack, a common but often difficult to identify phishing attack. Here’s what went down:

Seaport approvals

Seaport is a marketplace protocol developed by OpenSea to facilitate NFT sales and transfers. When listing an NFT for sale, users need to give approval to Seaport. A Seaport listing has two components: an offer and a consideration. An offer is the token being listed for sale (a Bored Ape for example). A consideration is what the seller wants in exchange for the token, usually ETH or WETH.

An approval allows OpenSea to transfer the NFTs in the case of a sale. Allowing this approval isn’t harmful—in fact, it’s necessary to sell NFTs. However, it can be thought of as leaving the front door unlocked. With some social engineering, attackers can exploit this approval to steal NFTs.

How Kevin Rose got phished

At some point in the past, Kevin set approvals for some of his NFTs—namely his Autoglyphs, Squiggles, and others that were stolen in the attack. This is fine, until attackers were able to trick him into signing a gasless signature.

Gasless signatures aren’t immediately broadcast, and aren’t broadcast at all in some cases. This can make them seem harmless, but they are far from safe. Kevin signed a gasless signature from a phishing site that set the consideration to 0.001 ETH—the equivalent of buying Kevin’s NFTs for free!

The signature alone can’t do anything, but since Kevin had previously given Seaport approval and permission to transfer his NFTs, the attacker was able to submit the gasless signature to Seaport and receive Kevin’s NFTs for 0.001 ETH.

How to stay safe

Signing approval to Seaport is necessary to sell on OpenSea so avoiding Seaport approvals isn’t a great solution, and not feasible for many. Rather, identifying the malicious signatures that attempt to buy NFTs for free is a better path.

Thankfully, there are many great extensions that will simulate and translate signatures, taking the guesswork out of signing. In addition to using an extension, some other best practices include:

  • Never sign messages or transactions from wallets that hold NFTs—use a service like delegate.cash instead
  • Keep track of and revoke open approvals using approvals.xyz

Other attacks

DeFi attack vectors

As a new technology, crypto has brought along new surfaces to target and new mechanisms for attack. Some methods, such as governance attacks and price oracle manipulation, are novel strategies specific to the nature of crypto. Other attacks exploited vulnerabilities in tools and services used by crypto projects.

Crypto exchanges, wallets, and other services are complex and rely on tools outside of their direct control. 2022 has highlighted that, no matter how security conscious a crypto company is, there will always be vulnerabilities. Some things are simply out of a project’s control. Users need ways to protect themselves, no matter what happens to the products they use.


Profanity

When: Sep 2022 | Amount: $3,000,000+ | Surface: End user wallet | Mechanism: Cryptography exploit

What is Profanity?

Profanity is a vanity wallet address generator that allows users to create wallets with an address containing a specific word/phrase. For example, 0x1234566EC7ab88b098defB751B7401B5f6d8976F could be a vanity address containing “123456.” Broadly, vanity address generators work by generating many public/private key pairs and searching for one with the desired word/phrase.

Vanity address services in general pose a security risk because the generator may be holding onto the private keys. The safest way to create a vanity address would be to generate one yourself.

Deep dive

How does Profanity work?

To understand how Profanity was exploited, it’s necessary to understand how the tool worked to generate vanity addresses. The following is a simplified version of how Profanity works:

  1. Generate random private key, d — then calculate corresponding public key, q
  2. If q matches the user criteria (eg has n leading zeros), then return the private key and address for the user
  3. If there is no match, add 1 to the private key (d + 1) and get a new corresponding address
  4. A property of cryptography is if 1 is added to d, then some known constant G is added to the public key. Thus, when iterating over many public/private key pairs, it is not necessary to do the individual calculations. Instead, the known constant G can be added/subtracted until a match is found. This property makes it possible to easily find the private key for a public key given the approximate value (within about 115) of the private key.

Profanity’s vulnerability

Profanity’s vulnerability was in how the generator seeded private keys. Profanity used a random 32-bit vector to seed private keys, meaning there are only 232 possible seed values (approximately 4.3 billion). A billion is a big number, but not impossible for a computer to compute.

This, along with the fact that the address generation process is reversible, meant that it was possible to brute force the private key from any public key generated by Profanity.

Aftermath and impact

The Profanity vulnerability was publicly disclosed in September by 1inch. In their report, 1inch researchers detailed how addresses generated by Profanity were at risk and warned users that their money was “NOT SAFU” and recommended them to generate new wallets without using Profanity.

While it’s hard to tell how many wallets were exploited as a result of the Profanity vulnerability, crypto-sleuth @ZachXBT was able to track down one attacker who stole $3.3 million by targeting Profanity-generated addresses. In addition, the Wintermute hack that occurred later in September was also attributed to a wallet generated by Profanity.


Wintermute

When: Sep 2022 | Amount: $160,000,000 | Surface: End user wallet | Mechanism: Supply chain

What is Wintermute?

Wintermute is a crypto market maker and provides liquidity for various exchanges including Coinbase, Kraken, and Binance. Wintermute provides OTC (over-the-counter) trading services and operates an OTC trading platform called Node. In September, one of Wintermute’s hot wallets was hacked for $160 million.

Deep dive

The hack was due to a vulnerability in Profanity, a vanity wallet address generator. The week before the hack, researchers at 1inch published a report detailing a critical vulnerability (detailed above) in Profanity, where attackers could get private keys from any public key the service generated.

While Wintermute was using Profanity for gas optimization rather than vanity, their wallets were still at risk. When the vulnerability was disclosed, Wintermute took steps to transition out of their Profanity wallets but 10 accounts were missed due to “human error.” Unfortunately, the error resulted in one of Wintermute’s hot wallets being exploited for $160 million.

Aftermath and impact

The affected hot wallet was part of Wintermute’s DeFi operations. When CEO Evgeny Gaevoy announced the hack on Twitter, he noted that Wintermute’s non-defi operations were unaffected. OTC operations were paused for a few hours, but quickly resumed. Gaevoy also noted that Wintermute remained solvent with over $350 million in equity.

Overall, while the attack was large, the impact on the crypto ecosystem was limited due to Wintermute’s strong financial position and the attack being isolated to a company’s hot wallet rather than user funds.


Mango Markets

When: Oct 2022 | Amount: $116,000,000 | Surface: Exchange | Mechanism: Oracle manipulation

What is Mango Markets?

Mango Markets is a trading platform built on Solana. It allows users to lend, borrow, swap, and trade assets with leverage. The platform’s governance token is $MNGO, governed by Mango DAO.

Deep dive

Mango Markets was drained of over $100 million when an attacker manipulated the spot price of MNGO, inflating it and using it as collateral to withdraw properly priced assets from the exchange. This is the step-by-step:

  1. The attacker funded two wallets with $5 million USDC
  2. Wallet #1 offers to sell 438 million MNGO-PERPs at $0.038
  3. Wallet #2 buys the position
  4. The attacker then placed multiple large trades on several exchanges (Mango Markets, FTX, AscendEX) to manipulate the price of MNGO
  5. As a result, the price of MNGO on Mango Markets skyrocketed to a high of $0.91
  6. Wallet #2 uses the now inflated MNGO as collateral to withdraw $116 million

Aftermath and impact

Shortly after, the attacker made a proposal asking for 70 million USDC as bug bounty. In response, the Mango team proposed that the hacker send back $67 million and the Mango DAO treasury contribute the remaining funds to make users whole. The second proposal passed with overwhelming support.


Beanstalk

When: Apr 2022 | Amount: $182,000,000 | Surface: Stablecoin | Mechanism: Governance

What is Beanstalk?

Beanstalk is a “credit-based algorithmic stablecoin protocol” that uses credit instead of collateral to issue currency. Typically, there is a high cost to issuing stablecoins, because they require collateral to be locked up. Beanstalk attempts to solve this problem with credit-based issuance, which backs up the Bean stablecoin with the credit-worthiness of the borrower rather than any deposited collateral.

Deep dive

The attacker targeted Beanstalk’s governance system, specifically, by exploiting the emergencyCommit() function to bypass the normal 7-day voting period with a supermajority (⅔) vote. To gain a supermajority vote, the attacker leveraged a flash loan. Here’s how it went down:

First the attacker deposited ~212k BEAN in order to be able to create a Beanstalk Improvement Proposal (governance proposal). Then the attacker took out a ~$1 billion flash loan and used the tokens from the loan to receive whitelisted assets that could be deposited for governance voting power. With the massive flash loan, the attacker could temporarily gain a supermajority voting share and passed an emergency proposal to send themselves approximately $182 million of assets from Beanstalk. Roughly $106 million was used to pay back the flash loan and the remaining $76 million was profit for the attacker.

Aftermath and impact

Beanstalk is an interesting case study in crypto’s governance vulnerabilities. Even though the emergencyCommit() functionality required a 1-day waiting period, the malicious proposals were sufficiently obfuscated and went unnoticed by the Beanstalk community.

Post-exploit, Beanstalk underwent a “replanting” process that included raising money, redesigning the governance structure, moving to a multisig wallet, and completing audits. The protocol was relaunched in August, four months after the attack.


Slope Wallet

When: Aug 2022 | Amount: $4,100,000 | Surface: End user wallet | Mechanism: Off-chain exploit

What is Slope Wallet?

Slope Wallet is a cross-platform wallet built for Solana. It allows users to store both Solana and Ethereum assets.

Deep dive

In August of 2022, Solana users began reporting that funds were mysteriously disappearing from their wallets. There was lots of uncertainty around what the cause was and Solana cofounder Anatoly Yakovenko used the term “supply chain attack” to speculate that attackers may have exploited a vulnerability in iOS to steal Slope users’ private keys.

However, as the situation unfolded, it became clear that the problem was not isolated to iOS users. Rather, it seems the cause of the missing funds was because of how Slope was storing its user data. The Slope app was sending user private keys to an internal Sentry server and storing them in plaintext. This meant that anyone with access to the server could see the logs containing user private keys. Thus, if attackers were able to access the Sentry server through an off-chain exploit, they could find a treasure trove of user keys.

Aftermath and impact

Amid the confusion and speculation, Slope published a post-mortem acknowledging the vulnerability but maintained that there is “no conclusive evidence to link the Slope vulnerability to the exploit,” though the suspected vulnerability was still patched. Since their initial statements following the breach, Slope has gone silent on official communications, related or unrelated to the incident.


Premint

When: Jul 2022 | Amount: $375,000 | Surface: End user wallet | Mechanism: Off-chain exploit

What is Premint?

Premint is an allowlisting platform for NFT projects to gate access to mints. Without gating access, NFT drops are susceptible to bot accounts that immediately mint all the NFTs at launch. Premint is used by many high profile NFT projects, including Moonbirds, Proof, and CoolCats.

Deep dive

In July 2022, the Premint website was compromised, when an attacker was able to upload a malicious piece of code that prompted users with a wallet connection that would set approval for all and steal their NFTs. While the exploit was live, six users signed the malicious transactions and lost their NFTs. The hacker was able to sell the stolen assets for ~270 ETH.

Aftermath and impact

Premint later announced they would reimburse users who had their NFTs stolen at the floor price. CEO Brenden Mulligan noted that compensating victims of a hack might have “a negative long-term effect” because it “doesn’t teach people a lesson.” There is a difficult line to draw as to when it’s the user’s responsibility to keep their assets safe, especially when a platform that users trust is hacked. In addition to compensation, Premint acquired Vulcan, a wallet authentication tool, to further increase security.


Euler Finance

When: Mar 2023 | Amount: $197,000,000 | Surface: Lending protocol | Mechanism: Smart contract exploit

What is Euler Finance?

Euler Finance is a permissionless borrowing and lending protocol built on Ethereum. It allows users to determine which assets are listed and available to trade.

Deep dive

On Euler, there are eTokens (representing collateral) and dTokens (representing debt). The attacker exploited a flaw in Euler's donateToReserves function that incorrectly ensured the conversion rate from borrowed assets to collateral assets. Here's a step-by-step of what happened:

  1. The attacker obtained a 30M DAI flashloan from Aave
  2. The attacker deployed two contracts—a borrower and a liquidator
  3. The borrower deposited 20M DAI into Euler and used Euler's leverage to create ~195M eDAI and 200M dDAI
  4. The borrower then repaid 10M DAI, reducing the dDAI balance by 10M
  5. The borrower opened another leveraged position, created an additional ~195M eDAI and 200M dDAI
  6. The borrower donated 100M eDAI, putting itself in a position for liquidation as eDAI > dDAI and also skewing the conversion rate
  7. The liquidator contract liquidated the borrower's position, gaining all of the eDAI but only a portion of the dDAI, resulting in a final withdraw of 38.9M DAI post-fees

The attacker repeated this process with other assets and, in total, nearly $200 million was stolen from the Euler protocol.

Aftermath and impact

Euler announced a $1 million reward for the attacker's arrest and the return of stolen funds. In addition, there has been scrutiny of Euler's auditor—Sherlock—who worked with Euler to review their code. Sherlock shared that the two worked together to help Euler submit a claim and receive a $4.5 million payout in response to the exploit.


DNS

What is DNS?

The domain name system (DNS) is a database of internet domain names. It functions similar to a phonebook, linking domain names (e.g. www.example.com) to IP addresses (e.g. 192.158.1.38). In order to connect with a server, an IP address is required. The DNS allows people to use words instead of numbers to access any given server.

DNS providers such as Amazon Route 53 and Cloudflare DNS process requests by translating domain names into IP addresses, and ultimately controlling what server a user will access.

What is a DNS attack?

In a DNS attack, attackers exploit vulnerabilities in a DNS provider or compromise the credentials used to make changes to DNS configurations. In the context of recent crypto DNS attacks, attackers changed which server end users access when they enter a domain name. This means that users entering in legitimate domain names could still land on a malicious page, because the associated IP address was compromised.

The covert nature of DNS attacks makes them difficult to detect. In many cases, attackers will reroute domain names to clones of the original page, making the end user experience nearly identical. After rerouting users to a malicious version of the original site, attackers can steal user information and prompt them to sign malicious transactions.


Curve

When: Aug 2022| Amount: $530,000 | Surface: End user wallet | Mechanism: DNS

What is Curve?

Curve is a decentralized exchange, similar to Uniswap, that uses an automated market maker to provide liquidity for swapping assets. A key difference between Curve and Uniswap is that Curve is made specifically for stablecoins. While Uniswap allows for swapping any ERC-20 token, Curve only supports a variety of stablecoins built on Ethereum.

Deep dive

Attackers compromised Curve’s nameserver (allegedly iwantmyname) and changed Curve’s IP to a malicious one. As a result, going to curve.fi redirected to a malicious site. To make matters worse, the attackers created a clone of Curve’s legitimate website to make it near impossible for users to tell they were being tricked.

When on the compromised webpage, users were prompted to approve malicious contracts that stole their assets. Despite Curve identifying and calling out the exploit within an hour, the attacker was able to steal $530,000 worth of assets.

Aftermath and impact

Even though Curve was able to quickly revert the exploit, users were advised to take precautions such as using curve.exchange rather than curve.fi until all DNS records across the world were updated. This exploit was part of a larger trend in 2022 where attackers broadened the sophistication of their attack mechanisms. Increasingly, a market and ecosystem has formed around selling exploits and scams as services. It is not uncommon to see landing page clones and templates for compromised websites for sale.


Celer

When: Aug 2022 | Amount: $240,000 | Surface: End user wallet | Mechanism: DNS

What is Celer?

Celer is a blockchain interoperability protocol working to scale layer-2 infrastructure and provide developers with ways to create native inter-chain dApps. Celer also has a bridge, the cBridge, built on the network.

Deep dive

Just a few days after Curve was hacked in a DNS attack, Celer’s cBridge was hit with a similar attack. The attacker redirected cBridge users to interact with malicious contracts that would drain their wallets. The bridge was quickly shut down after initial reports of suspicious activity. Celer also went on Twitter to share the addresses of the malicious contracts and instructed users to revoke approvals.

Aftermath and impact

In total, 128 ETH worth of assets were stolen, though Celer later compensated users who lost funds.

The Celer attack and Curve DNS hijacking are examples of DeFi projects becoming compromised outside of the protocol itself. Neither attacks were smart contract exploits—rather, attackers exploited areas that weren’t controlled by the protocol, such as the underlying internet architecture. Both highlight the importance of having good information regarding what types of transactions you are signing


Part 2 of this report on security tooling will be published next week.

Subscribe to Stelo

Sign up to get Stelo announcements and posts in your inbox.
Vitalik Buterin
Subscribe