Crypto security researchers uncovered and neutralized a critical threat affecting thousands of smart contracts, potentially preventing more than $10 million in crypto from being stolen.
On Thursday, pseudonymous Venn Network researcher Deeberiroz shared in an X post that a backdoor exploit had been silently threatening the ecosystem for months. The researcher said the exploit targeted uninitialized ERC-1967 proxy contracts, allowing them to hijack the contracts before they had been properly set up.
Venn Network discovered the vulnerability on Tuesday, triggering a 36-hour rescue operation involving several developers, including security researchers Pcaversaccio, Dedaub and Seal 911, who worked together to evaluate affected contracts and move or secure vulnerable funds.
Attackers injected malicious contract implementations
Or Dadosh, co-founder and president of Venn Network, told Cointelegraph that the attacker front-ran contract deployments and injected malicious implementations.
“In the simplest terms, the attacker exploited certain deployments which allowed them to put a well-hidden back door in thousands of contracts,” Dadosh told Cointelegraph, adding that the attacker could have taken over vulnerable contracts at any point.
Following the attack, the hacker had an undetected, unremovable backdoor for months. Once the contract was initialized, it made malicious activity nearly invisible.
The security researchers outmaneuvered the attackers by keeping the vulnerability under wraps during the operation, which led to a successful rescue.
Deeberiroz said several decentralized finance (DeFi) protocols were able to secure hundreds of thousands in crypto during the operation, acting in time before the attackers could siphon the assets.
“We found tens of millions of dollars potentially at risk,” Dadosh said. “But even scarier is if this could have kept growing, and a larger portion of the overall TVL [total value locked] held by the protocols involved could have been threatened.”
Berachain pauses contract, Lazarus suspected
The affected protocols included Berachain, whose team responded by pausing the affected contract. On Thursday, the Berachain Foundation recognized the potential vulnerability and paused its incentive claim contract and transferred its funds to a new contract.
“No user funds are at risk, or were lost,” the Berachain Foundation wrote on X. “Incentives will be claimable again within the next 24 hours as merkles for distribution are recreated.”
Related: Brazil’s central bank service provider hacked, $140M stolen
Venn Network security researcher David Benchimol suspects the infamous North Korean hacking group, Lazarus, was involved in the attack. Benchimol told Cointelegraph that “the attack vector was very sophisticated and deployed on every EVM chain.”
The researcher also noted that the attacker was waiting for a bigger target before performing an attack, making it more likely to be from an organized group. Despite this, Benchimol told Cointelegraph that there’s no confirmation that Lazarus was involved in the attack.
Magazine: Coinbase hack shows the law probably won’t protect you — Here’s why
Read the full article here