Recent Hacks: Lessons
This crypto security article might be one of the most important ones we have written so far. Especially the first half. Hackers are becoming more sophisticated and are finding ways to target people individually instead of bugs in smart contracts.
A typical reaction is to think: “oh, that will never happen to me.” And we are certainly not saying it will, but it might be a good idea to get prepared and understand how sophisticated these new tactics really are.
A user called @revive_dom on Twitter had a MetaMask wallet on his Apple device and received an incoming call from Apple’s customer support. You would pick that up, right? Apple is to be trusted. And so he did.
A few hours prior to that he already received some text messages to reset his Apple ID. Something that is relatively routine and nothing weird.
Once he was on the call with the scammer, they told him his Apple ID was compromised. Since it clearly showed on his screen the call was incoming from Apple, he believed it and decided to engage.
Once the scammer convinced him of that, they asked for a verification code that just arrived on his phone to prove that he actually is the owner of the Apple ID. This gets a little weird, but @revive_dom knows the call comes from Apple, and what harm can providing them with the verification code do?
A lot. The moment he pronounced the final letter of the security code the scammer hangs up. All the funds from his Metamask were gone. Forever.
So how did the scammer get access to the funds? They used the verification code to reset the password of Apple’s account of @revive_dom. Once that is accomplished, the hacker has access to their iCloud account. It turns out that in some cases a Metamask wallet seed phrase can actually be stored in iCloud. The hacker got access to that and withdrew all funds.
So, in short:
- Hackers sent some text messages requesting the user to reset the Apple ID password;
- A bit later they call the user introducing themselves as Apple’s customer support, reaching out because of suspicious activity on the user’s account;
- To prove to the support that he is the actual Apple ID owner, the caller asks to input his 6 digit verification code;
- The user does so and the call immediately ends followed by a withdrawal of all MetaMask funds;
- After getting the verification code, hackers were able to change the account’s password, enter the user’s iCloud data to find his MetaMask seed phrase stored there, and used it to steal all his funds.
@revive_dom lost more than $655 thousand in crypto assets. That is a life-changing amount. Be careful and never engage with anything that looks even remotely phishy. Double and triple-checking will only do good for you, even if it will take longer time-wise. Remember — a phishing attack is either super simple (for example, an email asking to press a link to change a password) or incredibly sophisticated.
Here’s a good thread on this event by a Twitter user @Serpent.
Beanstalk Stablecoin Protocol
The next story is about a $182 million DeFi hack. An incredible amount if you think about it for a second. It resulted in the fall of the $BEAN stablecoin. The token fell more than 95% from its $1 peg at the time of writing.
The hacker took out a flash loan (an unsecured loan, which allows you to borrow any amount of asset from a designated smart contract pool) on Aave which they used to buy a large percentage of the Beanstalk governance token. They issued a governance proposal that would allow the hacker to withdraw protocol funds into their own wallet.
The hacker used their governance tokens to accept the governance proposal and directly took action by withdrawing the available funds. Interesting to notice is that the hacker donated $250 thousand to a Ukrainian relief wallet.
The Beanstalk governance tokens froze after the execution of the governance proposal due to being locked to prevent such attacks. The hacker however had time to run with $182 million in $ETH.
The Beanstalk protocol has a unique form of governance. Every token liquidity pool, a place to trade one stablecoin for another, has its own governance. In a normal situation, a governance proposal cannot be implemented directly. However, when anyone gets a supermajority, they can by using the function ‘emergencyCommit’.
A solution that most protocols implement to prevent this is not allowing flash loaned funds to engage in governance activities. This was implemented in the code that was audited by Omniscia, however, the Beanstalk team released a few updates after the audit without them being reviewed first. This demonstrates the importance of auditing yet again.
Every builder in crypto knows about hacks and the enormous impact they can have. Yet we continue seeing exploits that are becoming ever larger. Code is becoming more complex and timelines are becoming more aggressive.
We must ensure hack prevention and mitigation. Our team recently launched its protocol on Ethereum’s mainnet which is focused on exactly that. Community-built bots can scan transactions on tokens with Lossless integration to find potentially malicious ones. Once identified, the transaction can be frozen to be analyzed by the Decision-Making Body that will judge whether it is indeed fraudulent or not. If malicious, the transaction can be reversed and the stolen funds returned.
Visit our website or channels for more information. Stay safe and always check things multiple times.
Lossless is the world’s first DeFi hack mitigation tool for token creators. Apart from Lossless’ known cyber security solutions and renowned professionals, the community also plays a role. With a tangible reward system, community members are also encouraged to explore new ways to detect hacks and fraudulent transactions.
Lossless protocol halts counterfeit transactions through various methods of fraud identification and automatically reverses any stolen tokens back to the original owner. Its solutions to the impending problems of cyber theft within the blockchain space are thorough and applicable within many protocols.