Out-and-out contractor theft appears to have emerged as a new method of attacking crypto projects. As a token launchpad front end was attacked with malicious malware. Which is the theft of more than USD 3 million.
The MISO token launchpad created on SushiSwap has been assaulted, according to Joseph Delong, Chief Technology Officer (CTO) at decentralised exchange SushiSwap. This was a supply chain attack, according to him, with an unidentified contractor using the GitHub account ‘AristoK3′ putting malicious code into Miso’s front-end.
dudes not hiding either. would be a bad move…
— Antimatterz (@RealBoardwalk) September 17, 2021
Delong said they “had grounds to assume” the handle belongs to Twitter user “eratos 1122,” who describes himself as a “Blockchain/Web/Mobile Developer.” Eratos 1122 has been approached by Cryptonews.com for comment.
The CTO also stated that ETH 864.8, which is presently worth over USD 3.06 million, was stolen. The address he provided – ‘Miso Front End Exploiter’ – reflects this, with the transaction occurring sixteen hours before the time of writing.
A supply chain attack
Simply put, the user interface, or the parts with which users interact, is referred to as the front end. A supply chain attack is when someone gains access to a system through an outside partner or provider. If successful, software supply chain assaults allow an attacker to seize control of a project or its infrastructure by redirecting it to a contract address under their control.
Only one contract was abused, according to Delong, who revealed additional details about the assault. It was the one for the JayPegsAutoMart non-fungible token (NFT) sale.
“At the auction creation, the attacker substituted their own wallet address to replace the auction wallets,” he revealed, adding, “All affected auctions have been patched.”
The team contacted crypto exchanges FTX and Binance, requesting the attacker’s know-your-customer (KYC) information. But they “resisted on this time-sensitive topic,” he claimed.
“Our team is also examining the incident on our end and would like to touch with you directly to learn more”. Binance wrote to Delong.
Furthermore, the CTO states that the attacker (whose identity is unknown) has worked with yearn.finance (YFI). And he has also“approached many other projects”. All of which he advises to search for weaknesses in their respective front ends.
If the cash is not returned by 12:00 UTC today, Delong stated the team will file a complaint with the FBI.
All of this being said, it appears that this type of attack is something that projects in this young industry. And, by extension, their users/currency holders should be aware of, and not be lulled into a false sense of security.
first of many to come
This type of assault might be the “first of many to come,” according to Rari Capital’s “transmissions11 (t11s)” report. The report also notes that “every react.js site depends on literally hundreds of thousands of packages. Each of these depends on a couple hundred at least.” It’s over with one rogue sub-sub-sub-package update.”
There may already be solutions to mitigate this attack type, according to t11s. That said, it appears that the developing world of crypto is becoming more vulnerable to attack vectors. Emphasising the importance of maintaining attention at all times, especially given the stakes.
