October has not been a favorable month for the crypto space when it comes to security. The latest incident saw hackers drain $2.3 million from FriesDAO, as per cybersecurity firm CertiK.
The attacker took control of the protocol’s Deployer Wallet and drained a significant amount of FRIES.
Spate Of Hackings Continue
An unknown attacker has stolen $2.3 million worth of tokens from the decentralized autonomous organization FriesDAO. The exploit is the latest in a spate of hackings that have plagued the crypto space this month, making it the worst month when it comes to hackings. The exploit was a result of the hacker taking control of the protocol’s deployer wallet and draining its governance token, FRIES.
The hacker could also leverage their access to the deployer wallet and drain several other tokens from a staking pool on the protocol. The hacker then sold the stolen funds for $2.3 million in stablecoins, which are still held by the hacker, according to CertiK. FriesDAO notified its users of the hack, releasing a statement,
“It has come to our attention that the refund deployer contract was exploited and managed to obtain FRIES tokens which were subsequently refunded for USDC and sold into the Uniswap pool. This is an ongoing investigation; the exploiter is invited to contact us for dialogue.”
Wallet Generator Tool Already Had Vulnerability
The protocol’s deployer wallet was generated using a wallet generator tool called Profanity. The tool was known to contain a critical vulnerability, discovered by security analysts at 1inch. The analysts found that private keys of vanity addresses generated by Profanity were vulnerable to hackers and could be used to steal funds. After the disclosure by the security firm, hackers exploited the vulnerability, stealing $160 million worth of crypto assets from market-making firm Wintermute.
FriesDAO Exploit Was Preventable
FriesDAO also relies on the same wallet generator tool to generate the protocol’s deployer wallet address. Thanks to the vulnerability, the hacker extracted the wallet’s private keys and moved the funds to their wallet. CertiK, which also disclosed the exploit, stated that the exploit could have been avoided had the teams involved with the protocol been more proactive and replaced the deployer’s address in time.
“This attack was preventable, as the Profanity vulnerability has been public knowledge for over a month. CertiK calls on all Web3 projects which have used the Profanity tool to immediately transfer control of any assets held in affected wallets to securely-generated addresses.”
An Unprecedented Month
According to a report released by Chainalysis, October is set to be the worst month on record for crypto-related exploits. At the time of publishing the report, the space had already lost over $718 million to hackers and other exploits. As of now, this figure has crossed $1 billion. The current month has seen an unprecedented number of hackings that have decimated the space.
October 6th saw the hack of DeFi protocol Sovryn, which saw hackers drain $1.1 million. Mango Markets was another protocol targeted by hackers, who managed to steal $117 million from the Solana-based lending platform. Other significant hacks include the BitKeep Wallet, which saw hackers steal $1 million in funds. However, there were instances where hackers returned the funds, choosing to keep a bounty instead, such as the Moola Market hack. The hacker decided to return the stolen funds instead keeping a $500,000 bounty. Olympus DAO also saw a hacker steal around $300,000, only to return it hours later.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Credit: Source link
