The cryptocurrency world was shaken by a significant security breach involving Ledger, a leading wallet provider, on December 14.
This incident, as explained by Ledger CEO Pascal Gauthier, not only highlights the vulnerabilities in the crypto ecosystem but also the importance of advanced security measures.
Let’s delve into the details of this event, its implications, and the responses from Ledger and the wider community.
The Incident
Pascal Gauthier, in a post on Ledger’s blog and a tweet on his X (former Twitter) account, described the hack as an “isolated incident.”
My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets.
The hack was swift but impactful, affecting third-party decentralised applications (DApps) for less than two hours and was promptly deactivated within 40 minutes of its detection.
The breach occurred due to a phishing attack on a former employee whose identity was unintentionally left in the hacked code.
This vulnerability did not impact Ledger’s hardware wallets or the Ledger Live platform.
Mechanics of the Ledger Exploit
As explained in various public statements, including one on Ledger’s X account, the attacker inserted malicious code into several app interfaces.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
This code tricked users into making unauthorised transactions, leading to the theft of at least $484,000.
The hacker accessed a former Ledger employee’s node package manager JavaScript (NPMJS) account and then uploaded a malicious update to Ledger Connect’s GitHub repository.
This led to the unwitting distribution of the harmful code among users of Web3 apps like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash.
Extent of the Damage
Initially estimated at $484,000, the damage was later updated to $504,000, as reported by Web3 security service Blockaid.
Here is a list of dapps that may be affected by the @ledger hack! Do not interact at all with DEFI at all today! No app is safe regardless of whether you use a Ledger. pic.twitter.com/2ihbasF3R7
The hacker manipulated transaction data, misleading users into approving transactions that directed funds to their own accounts.
This technique affected a wide range of Ethereum Virtual Machine users who interacted with the compromised DApps.
Ledger’s Response and Future Measures
Gauthier committed to implementing stronger security controls and enhancing software supply chain security.
He stressed that Ledger’s standard practice involves thorough internal reviews and multi-signature requirements for code deployment.
Ledger Connect Kit 1.1.8 was announced as safe, and gratitude was extended to WalletConnect, Tether, Chainalysis, and ZachXBT for their support.
FINAL TIMELINE AND UPDATE TO CUSTOMERS:
4:49pm CET:
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…
The breach has potential implications for the entire Ethereum Virtual Machine ecosystem.
It demonstrates the sophisticated methods employed by cybercriminals in the crypto space and the need for heightened security awareness.
The core of the Ledger hack revolved around the manipulation of transaction data in users’ wallets.
The attacker employed malicious code to display confusing and misleading transaction information. This deceitful data led users to unknowingly approve transactions that were actually in favour of the attacker.
Ledger hack token approval. Source Etherscan
The Role of Connect Kits in Web3 Applications
In the realm of Web3 applications, developers commonly use open-source “connect kits.”
These kits serve as a bridge, allowing apps to interface with users’ wallets.
They are essentially pre-written code packages that developers can integrate into their apps, saving time and resources that would otherwise be spent on writing this connection code from scratch.
Ledger’s Connect Kit is one such tool used for this purpose.
When a developer builds a Web3 app, they typically incorporate a connect kit through a node package manager.
After creating the app and uploading it to their website, the connect kit becomes part of the app’s codebase. This means that whenever a user visits the app’s site, the connect kit code is downloaded into their browser.
In the Ledger hack, the malicious code was cunningly inserted into the Ledger Connect Kit.
This allowed the attacker to modify the transactions that were being sent to users’ wallets.
For instance, during the normal operation of a Web3 app, users might need to grant approvals for token contracts, thereby allowing the app to move tokens from their wallets.
However, with the malicious code in place, the users’ wallets would display requests for token approval, but these requests were altered to benefit the attacker.
The user might see a request to confirm a transaction, but due to the confusingly presented data, they might unwittingly approve a transaction that sends their tokens to the attacker’s address.
Real-World Impact on Users
As a result of this deceptive tactic, users ended up granting extensive token approvals to the malevolent contract controlled by the hacker.
In some cases, large amounts of funds were siphoned off in single transactions. For example, over $10,000 was drained from one Ethereum address in a particular instance.
This exploit underscores a significant challenge in the crypto world: users often face difficulty in understanding and interpreting transaction confirmations, especially when they are presented in a technical or confusing manner.
It emphasises the need for vigilance and a careful evaluation of each transaction confirmation message.
The exploit demonstrates a critical vulnerability in the Web3 ecosystem and underlines the importance of robust security practices.
While tools and platforms are evolving to detect and thwart such attacks preemptively, the industry is still grappling with these challenges.
Ledger incident: A Call for Increased Security Vigilance
It’s essential for users and developers alike to remain alert and informed to mitigate the risks associated with such sophisticated cyber threats.
The Ledger hack serves as a stark reminder of the persistent threats in the crypto world.
It emphasises the need for robust security measures, constant vigilance, and collaborative efforts to safeguard digital assets.
As the crypto industry evolves, the security of transactions and the protection of user data must remain paramount.
Euler Finance fell victim to a flash loan attack that resulted in the loss of more than $195 million in stablecoins and ERC-20 tokens.
On March 13, Euler Finance, a noncustodial lending protocol based on Ethereum, was hit by a flash loan attack. This resulted in the theft of millions of dollars in Dai (DAI), USD Coin (USDC), staked Ether (stETH), and wrapped Bitcoin (wBTC). As per the latest update from on-chain data, the attacker carried out multiple transactions and was able to steal almost $196 million, making it the largest hack of 2023 thus far.
The funds stolen include the following:
DAI (8,877,507.35)
wBTC (849.14)
stETH (73,821.42)
USDC (34,413,863.42)
stETH (3,897.50)
stETH (8,099.30)
As per findings by the crypto analytic company Meta Seluth, the recent attack appears to be linked to the deflation attack that occurred a month ago. The attacker leveraged a multichain bridge to transfer the funds from BNB Smart Chain (BSC) to Ethereum and executed the attack today.
This DeFi attack on Euler Finance is one of the most significant hacks of 2023 thus far.
Movement of funds from Euler Finance. Source: Meta Seluth
ZachXBT, another well-known on-chain investigator, confirmed the correlation and stated that the attack’s fund movement and approach bear striking similarities to those of bad actors who recently targeted a BSC-based protocol.
In the previous attack, the attackers deposited the funds into Tornado Cash, a cryptocurrency mixer. Presently, the illicitly obtained funds are residing in the following hacker-controlled addresses:
0xebc29199c817dc47ba12e3f86102564d640cbf99 (Contract) – 8,877,507.34 DAI
0xb2698c2d99ad2c302a95a8db26b08d17a77cedd4 – 8,080.97 ETH
0xb66cd966670d962c227b3eaba30a872dbfb995db – 88,752.69 ETH & 34,186,225.91 DAI
Euler Finance has acknowledged the exploitation and reported that they are working closely with security experts and law enforcement agencies to address the matter.
According to Slowmist, a blockchain security firm that conducted an in-depth analysis of the attack, the attacker utilized flash loans to deposit funds and then proceeded to trigger liquidation by leveraging them twice. After donating the funds to the reserved address, the exploiter performed a self-liquidation to obtain any remaining assets.
The exploit’s success can be attributed to two key factors. Firstly, the funds were donated to the reserved address without undergoing a liquidity check, resulting in a soft liquidation. Secondly, the soft liquidation logic was activated by high leverage, allowing the liquidator to acquire most of the collateral funds from the liquidated user’s account by only transferring a portion of the liabilities to themselves.
The entire process occurred within a single transaction (one per pool) using flash loans obtained from AAVE.
It seems that one of the smart contracts in Euler has a glitch where it fails to verify the health factor during the execution of the donateToReservers() function. As a result, the attacker could liquidate their position from the protocol, repay the flash loan, and generate a substantial profit.
In a funding round last year, Euler Finance secured $32 million in investments from notable entities such as FTX, Coinbase, Jump, Jane Street, and Uniswap. Euler Finance garnered significant attention for its liquid staking derivatives (LSDs) offerings, which enable stakers to unlock liquidity for staked cryptocurrencies like Ether and potentially increase their returns. LSDs are a relatively new type of token, and they now account for up to 20% of the total value locked in decentralized finance protocols.
Today the Euler Foundation is launching a $1M reward in the hope that this provides additional incentive for information that leads to the Euler protocol attacker’s arrest and the return of all funds extracted by the attacker.
After Defrost Finance users complained about the loss of funds, the DEX confirmed that Defrost V2 was the victim of a flash loan attack.
On December 24, 2022, DeFi platform Defrost Finance, built on the Avalanche blockchain, suffered a hack, with an attacker using a flash loan function to withdraw funds.
The announcement was made on the official Twitter account. The team advises everyone to refrain from using the platform until they resolve the issue.
Defrost Finance is sad to announce that our V2 has suffered a hack, with an attacker using a flash loan function to withdraw funds.
The V1 is not affected. We will soon close the V2 UI and investigate further with our tech team.
The first hacking signal was that investors reported that they had lost their stakes in Defrost Finance, as well as Avalanche coins from the MetaMask wallets.
At first, the team announced that Defrost Finance’s V1 was not affected by the hack.
After confirming the attack, PeckShield, a blockchain security company, discovered that the hacker had manipulated the price of LSWUSDC (Lending Switch USD Coin). The profit generated from the hack was approximately of $173,000.
“Our analysis shows a fake collateral token is added, and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M,” according to PeckShield.
The community was suspicious of the activities of the DEX, although they had announced the hack as soon as it was noticed.
Shortly after, it was announced that V1 of the DEX was also affected by the hack, although it was initially announced that it was not affected. Since V1 lacked the flash loan functionality, the team believed that V1 couldn’t have been affected. At this moment, they asked all users to stop using both V1 and V2.
The Defrost team continued their on-chain investigation, on Dec 25. After publicly asking the hacker or hackers to return the funds stolen during the attack, the team also proposed a 20% (negotiable) fee of the total amount of $12.
According to the team, they have been working round the clock, on Christmas day, to try and solve the crisis and return the funds. Eventually, on Dec 26, the team announced that the funds stolen from V1 have been returned. However, no other explanation was given.
Defrost Finance announced it would refund affected users
According to Defrost Finance, the platform managed to recover the funds from the V1 flash loan exploit and plans to return them to their rightful owners.
On Dec 27, Defrost posted on Medium that it would soon refund the stolen assets. The recovered funds are in an ETH wallet, will be converted to a stablecoin, and then transferred to Avalanche. The users will be able to recover their funds through a specific smart contract.
Users are still waiting for further news.
Other DeFi protocols that suffered losses recently are Raydium (Solana blockchain) – $2 million, and Ankr (Ethereum blockchain) – $5 million.
Is Defrost Finance a scam?
On Dec 24, PeckShield, a blockchain analytics company, issued a warning to its community. They described Defrost Finance project as a “rug pull” with losses estimated at around $12 million.
On Dec 26, CertiK, a blockchain security company, posted an alert about Defrost Finance. It stated that they tried to reach the team but did not receive any response. They described the exploit as an “exit-scam,” which implies that the DeFi platform might have stolen user funds.
A malicious Google Tag Manager (GTM) website code allowed a hacker to steal $265,000 of users’ funds. The hack was targeting whales’ wallets.
On September 1st, 8:24 PM UTC, KyberSwap discovered a bug in its website code which allowed hackers to steal approximately $265,000.
According to the DeFi platform, two “whale” addresses were apparently affected by the attack. KyberSwap announced its intention to all affected users. Kyber claimed it discovered the exploit that allowed hackers to insert fake approvals, allowing them to transfer funds to an address. The attack was detected on Sept. 1, and the threat was “neutralized” within two hours.
What happened to KyperSwap?
KyberSwap was the victim of a website exploit. On Sept 1st, 8:24 PM UTC, they discovered a suspicious element on their front end. In order to further investigate the issue, they decided to shut down the website while the smart contracts and everything related to the blockchain were not disturbed. The issue was a malicious Google Tag Manager (GTM), which allied the attacker to steal users’ funds.
1/ ❗️Notice of Exploit of KyberSwap Frontend:
We identified and neutralized an exploit on the KyberSwap frontend. Affected users will be compensated. We have summarized the details in this thread⬇️
It seems that the Google Tag Manager was designed to specifically target whale wallets to grant the attacker access to larger funds. After the code was eliminated, the KyberSwap UI was restored and made available for users. The UI was unavailable for just over two hours. Meanwhile, the malicious code was eliminated from the KyberSwap UI, and the hacker’s wallet was identified.
The KyberSwap announced to its users about the recent bug on the platform’s Twitter account and urged other DeFi protocols to inspect their frontend code to prevent similar attacks.
This decentralized exchange allows users to trade currencies across different blockchains. The blockchain contracts of KyberSwap were not affected. They have also identified the affected addresses.
1/ ❗️Notice of Exploit of KyberSwap Frontend:
We identified and neutralized an exploit on the KyberSwap frontend. Affected users will be compensated. We have summarized the details in this thread⬇️
Kyber tweeted, “We have compiled a complete list of confirmed and suspected attacker addresses used during this period, including tracking interactions with centralized exchanges and OpenSea.”
While this attack ranks amongst the lowest losses suffered by the DeFi projects, these thefts add up to millions of dollars that have disappeared from users’ funds. It also makes it very clear to anyone paying attention that DeFi platforms have penetrable UIs that can be exploited by creative hackers.
KyberSwap is not safe to use, although users are advised to exert caution when doing so.
A complete list of the confirmed and suspected attackers’ addresses have been made public on their blog. There’s also a complete list of the addresses of the smart contracts related to using KyberSwap. Additional info about the incident can be found in the same blog – Notice of Exploit of KyberSwap Frontend.
Will KyberSwap retrieve the stolen funds?
Blockchain transactions are irreversible, and KyberSwap might not be able to get the funds back, even if they have traced the wallets. The only way to get the stolen funds back is if the hackers decide to transfer them back.
For that reason, the Kyber protocol has urged the attacker to send the funds back. Not only that, but they are offering a bug bounty of 15% from the stolen funds.
Here’s the message for the KyberSwap hacker:
“Hello attacker. We know the addresses you own have received funds from central exchanges, and we can track you down from there. We also know the addresses you own have OpenSea profiles and we can track you through the NFT communities or directly through OpenSea. As the doors of exchanges close upon you, you will not be able to cash out without revealing yourself. As a bug bounty, we are offering you 15% of the funds if you return it and have a conversation with our team. To confirm, send the funds to the following Polygon address: 0x2dc0ba6ba3485edd61f17ffabf4c7a9626001d50”
Movement of funds from Euler Finance. Source: Meta Seluth
