Crypto News: US$200 million stolen in two separate hacks
Link copied to
Around US$200 million in coins and tokens have been stolen in two separate hacks since Monday, leaving thousands of crypto investors out of pocket, and super unhappy about it.
As we mentioned this morning, the hacks have made this week a rough one for crypto’s public image, as the sector continues to struggle its way out of the so-called Crypto Winter after billions of dollars were wiped out in the November 2021 price crash.
The largest of the two latest security breaches hit Nomad, a cross-chain bridge protocol used to make transactions between different blockchains faster and simpler.
The attack on Nomad started quietly, but spiralled quickly out of control, once word got out that anyone could simply cut and paste the initial fraudulent transaction substitute in their own crypto wallet addresses, and get in on the theft themselves.
Sam Sun, a researcher for Web3 investment firm Paradigm, explained how the attack was entirely due to a tiny – but massive – mistake by the dev team at Nomad, and why it was so easy to replicate.
10/ It turns out that during a routine upgrade, the Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case it had a tiny side effect of auto-proving every message pic.twitter.com/fA3XbNW9qT
— samczsun (@samczsun) August 2, 2022
Within hours, US$190 million was gone – some of it taken by “white hat” hackers, who were securing the easily-accessible funds with the intent of giving it back once the security hole had been breached.
So far, only a fraction of the money has been handed back, totalling less than US$10 million. What a shock.
At the same time, a completely separate and much quieter hack was unfolding, as an apparent lone-wolf hacker managed to penetrate the architecture of a popular Solana-based wallet network and drain close to $10 million from 8000 accounts.
Initial estimates put the amount stolen at more than US$580 million, however it was soon discovered that $570 million of that was assigned to the grossly overestimated value of one illiquid s–tcoin called $EXIST.
The attack mostly affected users of online mobile Solana wallets such as Phantom, Solflare, TrustWallet, and Slope, with Phantom and Slope users making up the lion’s share of those affected.
Solana Foundation’s co-founder Anatoly Yakovenko took to Twitter to suggest his theory on the attack vector, claiming that it “seems like an iOS supply chain attack”.
Those attacks are similar to a Trojan horse style attack where malicious code is snuck into one of the code libraries that the application calls on in order to function, according to Christine Kim, GalaxyDigital researcher and host of the Mapping Out Eth 2.0 podcast.
However, Blockchain security firm OtterSec noted that the fraudulent transactions were being processed by the blockchain as they were “signed by the actual owners, suggesting some sort of private key compromise”.
Crypto wallet private keys are required to digitally sign any transactions to send cryptocurrencies to another address or to make any changes to the wallet – and any attacker that can gain access to a user’s private key will have complete control over the user’s wallet and its contents.
So while the two hacks are apparently unrelated, there’s a common lesson to be learned from both of them: the most secure way to protect any crypto you’re holding is in an offline wallet, which thieves are unable to connect to and steal your funds out from under your nose.