Approximately $575k was stolen from users who approved, with proceeds being sent to CEXs and Tornado Cash. It seems OFAC’s sanctions don’t scare those who are already breaking the law…
The exploit was not active on curve.exchange, the project's alternate UI, which the team directed users to while the incident was dealt with. The hacker’s mirrored site was taken down quickly, however some nameservers are still to be updated.
This episode, and others like it, serve as stark reminders that web3 still runs on web2.
When even the backbone of DeFi is reliant on legacy infrastructure…
…how decentralised can we claim to be?
As with other DNS hijacking events, identification of the exact cause falls to the service provider, and we must rely on their account of events, without being able to corroborate on-chain.
Curve Founder and CEO Michael Egorov confirmed his team's suspicions with rekt.news:
Well for now I can say that dns registrar iwantmyname had their ns compromised
No account hack
Switched the ns
Besides a good bunch of hacked money frozen by centralized services
What could be done better.. we should try to go away from web2 things like dns tbh, that would be the best
Further details provided here.
All Curve users who interacted with the platform should revoke approvals to the malicious contract immediately:
Attacker’s address: 0x50f9202e0f1c1577822bd67193960b213cd2f331
Currently, for the vast majority of users, DeFi is only as secure as the centrally-hosted front ends that they interact with.
As the battle-tested contracts which secure established protocols’ back end become gradually more robust, exploiters are increasingly targeting the front end. This vector leverages users’ trust in the project’s contracts whilst overlooking the security behind the UI.
Without real decentralisation at every step, we will continue to see approval-harvesting attacks, such as those that have affected users of BadgerDAO, Mad Meerkat Finance and, most recently, the Namecheap breach which affected front ends of four DeFi protocols.
For all the effort put into smart contract security, audits and decentralisation of governance powers, a project’s reputation can get still rekt through the fault of a web2 corporation.
The next logical step is protocols hosting their Dapps via IPFS and ENS, cutting reliance on web2 DNS providers.
The vast majority of users are not interested in dealing directly with smart contracts; front end security should not be treated as an afterthought.
How much longer will web3 rely on web2?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
What a way to start the week. This morning, Mixin Network announced a loss of $200M. The project claims to be “decentralised”, but has blamed the losses on a hacked third-party database. Where's the accountability?
Another exchange drained, is Lazarus going for a September hat-trick? Remitano's hot wallets were hit for $2.7M, yesterday. But quickly frozen USDT ensured profits were vastly reduced. Are we… learning?
rekt across thirteen chains. Is that a new record? CoinEx has become the latest crypto custodian to have its hot wallets emptied, losing an eventual total of $54.3M. How long until the next CEX is hit?