Out-in-the-open contractor theft seems to have appeared as another way to attack crypto projects – as a token launchpad front end was attacked with a malicious code, resulting in more than USD 3m stolen.
Joseph Delong, Chief Technology Officer (CTO) at decentralized exchange SushiSwap, tweeted that the MISO token launchpad built on SushiSwap has been attacked. Per his words, this was a supply chain attack, with an anonymous contractor, who’s using the GitHub handle ‘AristoK3’, injecting a malicious code into Miso’s front-end.
As for the identity behind this handle, Delong said that they “have reason to believe” it’s the Twitter user ‘eratos 1122’ who says they are a “Blockchain/Web/Mobile Developer.” Cryptonews.com has contacted eratos 1122 for comment.
The CTO further said that ETH 864.8 was stolen, currently worth over USD 3.06m. The address he shared – names ‘Miso Front End Exploiter’ – reflects this, with the transaction having taken place some sixteen hours prior to the time of writing.
Simply said, ‘front end’ refers to the user interface, that is, the elements with which users interact. A supply chain attack (aka a value-chain or third-party attack) involves a person infiltrating a system through an outside partner or provider that has the access to it. Software supply chain attacks, if successful, enable the attacker to take control of a project or its infrastructure, as they switch it to the contract address under their control.
Per Delong, who provided additional details of the attack, there was only one contract exploited – the one for the JayPegsAutoMart non-fungible token (NFT) sale. “The attacker inserted their own wallet address to replace the auctionWallet at the auction creation,” he explained, adding: “Effected auctions have all been patched.”
The team has contacted crypto exchanges FTX and Binance, he said, asking for the attacker’s know-your-customer (KYC) information, “but they have resisted on this time-sensitive matter.”
Binance replied to Delong, stating that “our team is also investigating the incident on our end and would like to connect with you directly to learn more.”
Additionally, the CTO claims that the attacker (though their number is not known yet) has done work with yearn.finance (YFI) and has also “approached many other projects” – all of which he’s urging to check their respective front ends for exploits.
Delong said that the team will file a complaint to the FBI should the funds not be returned by noon today UTC time.
All this said, this type of attack seems to be something for the projects in this nascent industry – and by extent, their users / coin holders – to be alert and aware about, and not be lulled into any false sense of safety.
“The risks associated with a supply chain attack have never been higher, due to new types of attacks, growing public awareness of the threats, and increased oversight from regulators,” said Maria Korolov, contributing writer for CSO. “Meanwhile, attackers have more resources and tools at their disposal than ever before, creating a perfect storm.”
For a popular crypto trader, known as @DegenSpartan, this incident has been “another grim reminder that we are frontier explorers and anything could happen to us and our money.”
Rari Capital’s ‘transmissions11 (t11s)’ finds that this type of attack could be “first of many to come,” adding: “Every react.js site depends on literally hundreds of thousands of packages, each of which depends on a couple hundred at least. One malicious sub-sub-sub-package update and it’s over.”
According to t11s, there may already be ways to mitigate this attack type. That said, it seems that the developing world of crypto is being opened to more attack vectors, stressing the need for vigilance with each and every step, giving how much is at stake.
Meanwhile, SUSHI dropped 8% in the past day (at 9:11 UTC), while it’s up 28% in the past week.
– Cream Finance Suffers USD 25M Flash Loan Attack
– Tether Frozen in Poly Hack Returned to Owners, Fuelling Centralization Debate
– Crypto & DeFi Custody Best Practices – A Workshop
– Anonymous Builders: Discussing Pseudonymity in DeFi