Nightmare on FTM Street

Halloween came early this year for the Fantom Foundation.

Over $7M was drained from multiple Fantom Foundation-labelled wallets were drained yesterday.

Fantom’s semi-retired figurehead Andre Cronje quickly clarified that the thefts affected an employee, rather than the Foundation itself.

However, the Foundation’s acknowledgement of the incident which came three hours later did admit to a $550k loss.

There’s been plenty of rushed messaging this week…

The statement went on to explain that some of the affected addresses were “no longer utilized” Foundation Wallets, which had been “reassigned” to an employee.

Why not use new addresses?

With the Fantom Foundation never publicly disclosing their wallet addresses, even after their claims of having 30+ years of runway (thanks to farming 2020’s DeFi Summer), we’ll just have to take Cronje and the Foundation’s word for it.

When did DeFi become ‘trust, don’t verify’?

Credit: Tayvano, Spreek

Starting just before 4am UTC yesterday, at least 12 addresses were drained across five chains: ETH, FTM, OP, BSC and AVAX.

While it remains unknown precisely how the attacker(s) gained access, the fact that multiple associated addresses were drained in short succession may suggest a compromised password manager, potentially LastPass.

The initial explanation, which came via a FTM Foundation TG admin, of a “zero day exploit on crome” doesn’t sound so plausible, after all.

Attacker addresses (totalling $7.5M):

0x1d93c73d575b81a59ff55958afc38a2344e4f878 (ETH, FTM, OP)

0x2f4f1d2c5944dba74e107d1e8e90e7c1475f4001 (ETH, FTM, OP, AVAX, BSC)

0xdadc0421ee1b5426fca3db22f0a94a3bad5a329d (ETH, FTM)

Attacker consolidation address on ETH (holds 4.5k ETH, $7.1M): 0x0b1f29df74a19c44745862ab018d925501fe9596

For a full list of victim addresses, labels and relationships, see Tay’s thread. Beosin also provided a summary table.

The mixed messaging around the incident was bound to lead to some slight errors in reporting.

However, given the $100M+ in liquidations caused by Cointelegraph’s unsourced Bitcoin ETF announcement on Monday, you’d have thought they would be being tweeting extra carefully.

Apparently not.

For a website that holds itself to “high journalistic standards”, blaming the social media team (as well as “the society” and “the technology” at large) should probably be followed up by fact-checking tweets…

…at least for a couple of days…

…and against the article it refers to.

Bad luck seems to haunt the Fantom ecosystem like a spectre.

Cronje may have boasted of the Foundation’s treasury holdings last year, presumably to bolster confidence in the ecosystem in the wake of the uncertainty which followed FTX’s blowup.

But, assuming the funds (which apparently include over $100M in stables) are still there, the Foundation now holds far more than the chain’s entire TVL, which has been gradually bleeding from over $500M earlier this year, to just $40M today.

A general downtrend was punctuated in July by the Multichain debacle.

Now, whether for good reason or not, yesterday’s news has spooked users once more.

Is FTM cursed?

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.