Celer Network's cBridge suffers BGP hijacking attack, users lose combined $240,000
The Celer Network's cBridge project was targeted with a BGP hijacking attack. Users who tried to access the bridge's frontend were instead shown a site that prompted them to authorize transactions that drained their wallets. The attacker was able to steal around 128 ETH (~$240,000) before the exploit was discovered and Celer took the frontend offline. The stolen funds were quickly transfered to the Tornado Cash cryptocurrency tumbler.
- Tweet by CelerNetwork
- Etherscan for attacker wallet
- "Truth Behind the Celer Network cBridge cross-chain bridge incident: BGP hijacking", SlowMist
Curve Finance frontend compromised, $620,000 stolen but later recovered by exchanges
Curve Finance's frontend at curve.fi was compromised, prompting users to give token approval to a malicious smart contract. Stolen funds were then transferred out to the FixedFloat cryptocurrency exchange and the Tornado Cash tumbler. It appears that at least 362 ETH (~$620,000) have been stolen.
Curve acknowledged the apparent exploit, tweeting at the iwantmyname domain platform to say they believed the issue was on their end. Around an hour after the issue was widely noticed, Curve announced the "issue has been found and reverted", and to use the alternate Curve Finance domain until DNS changes propagated for the affected domain. They also urged users to revoke any recent contract approvals they'd made on the Curve platform.
FixedFloat tweeted that they had been able to freeze 112 of the stolen ETH (~$192,000) that had been transferred to their platform. Binance later announced that they'd recovered the remaining stolen funds, with founder CZ tweeting, "The hacker kept on sending the funds to Binance in different ways, thinking we can't catch it. đ"
Ankr gateways for Polygon and Fantom compromised, seed phrases possibly stolen
The Ankr public RPC gateways (basically an API for dApps and other services to communicate with the blockchain) for Polygon and Fantom were impacted when attackers compromised the projects' DNS management. Those who accessed Polygon or Fantom using Ankr's RPC gateways saw pop-up windows stating that "funds are at risk", and prompting them to enter their seed phrases at a website linked from the popup to "restore their wallet".
Polygon's chief information security officer Mudit Gupta told CoinDesk that day that "no funds [were] lost as far as we know but we are still investigating", and that dApps using the Ankr RPC endpoint were non-functional. Ankr later announced that the RPC systems had been fully restored, and that the breach had come from a "third-party vendor" that enabled attackers to change Ankr's domain hosts.
SpiritSwap is the latest victim of a domain hijacking attack
In what is beginning to become a pattern, SpiritSwap was the latest project where attackers gained control of their domain and were able to modify the frontend to divert funds to a wallet under their own control. SpiritSwap tweeted that the "the hacker has managed to exploit Godaddy" (unlikely â it was more likely a case of stolen credentials) and swap out the recipient address.
The hacker only managed to exfiltrate around $18,000 before being discovered, and SpiritSwap shut down their swapping through their router to prevent the attack from continuing.
MM.Finance suffered a similar attack earlier in the month, losing $2 million after an attacker gained control of the domain and swapped in their own address to siphon funds.
Attacker compromises MM.Finance to redirect $2 million in crypto assets to their own wallet
MM.Finance, a group of crypto projects based on the Cronos blockchain, suffered an attack that allowed a hacker to redirect more than $2 million worth of crypto assets that were being exchanged through the project's website to their own wallet. Although MM.Finance described the attack as "DNS hijacking", it seems unlikely this is an accurate description of the attack, which seems more likely to involve phished credentials to their domain service providers.
"Please do not perform any transactions or your funds will be sent to the exploiter wallet," MM.Finance tweeted shortly before taking the website offline. Three days earlier, MM.Finance had published a blog post to address "FUD" in their ecosystem stemming from a popular Reddit post that described MMF as an "inverse pyramid of derivatives" that the author believed would "topple", and outlined the project's "rosy future".
The project promised to try to compensate users, with its developers foregoing 45 days of trading fees to reimburse users. They also appealed to the OKC crypto exchange to intervene to help recover funds from someone they believed to be the attacker, and threatened the attacker with the FBI. "With all these information, we have more than what we need to bring this information to the FBI," they wrote on Twitter. "So here's the deal, return 90% of the funds you stole and we will let this go, no questions asked. You have 48 hours to return these funds."
- Tweet by MM.Finance
- "Mm Finance â The road ahead", MM.Finance blog
- "Personal Take on Events and Existing Tokenomics", post from r/MMFinance
- "DNS Hi-Jacking Post Mortem & Compensation", MM.Finance blog