Researchers Foil $10M DeFi Backdoor in Thousands of Smart Contracts
A critical threat to the cryptocurrency ecosystem has been neutralized by a team of researchers from Venn Network, potentially preventing over $10 million in crypto losses. The discovery was made on Tuesday, after weeks of silent surveillance by the Venn Network team, who suspect that North Korean Lazarus Group was behind the attack.
The threat targeted uninitialized ERC-1967 proxy contracts, allowing attackers to hijack the contracts before they had been properly set up. This exploit, dubbed a "backdoor," enabled hackers to insert malicious code into thousands of smart contracts, giving them control over vulnerable funds and potentially leading to catastrophic losses for users.
Researchers from Venn Network worked tirelessly alongside other developers to evaluate affected contracts and move or secure vulnerable funds during a 36-hour rescue operation. The team's efforts were instrumental in keeping the vulnerability under wraps, allowing them to outmaneuver the attackers and successfully neutralize the threat.
"In the simplest terms, the attacker exploited certain deployments which allowed them to put a well-hidden back door in thousands of contracts," explained Dadosh, co-founder and president of Venn Network. "The attacker could have taken over vulnerable contracts at any point. Once the contract was initialized, it made malicious activity nearly invisible."
Following the attack, the hacker had an undetected, unremovable backdoor for months, giving them a significant window to exploit the vulnerability and siphon assets from affected protocols. However, thanks to the quick action of Venn Network's researchers and developers, several decentralized finance (DeFi) protocols were able to secure at-risk crypto during the operation.
"We found tens of millions of dollars potentially at risk," Dadosh said. "But even scarier is if this could have kept growing, and a larger portion of the overall TVL [total value locked] held by the protocols involved could have been threatened."
The Affected Protocols
Several DeFi protocols were affected by the attack, including Berachain. The team responded by pausing the affected contract and transferring its funds to a new contract.
"No user funds are at risk, or were lost," the Berachain Foundation wrote on X. "Incentives will be claimable again within the next 24 hours as merkles for distribution are recreated."
The Suspects: North Korean Lazarus Group
Security researcher David Benchimol suspects that infamous North Korean hacking group Lazarus was involved in the attack, citing its complexity and widespread deployment.
"The attack vector was very sophisticated and deployed on every EVM chain," Benchimol told Cointelegraph. "The attacker was waiting for a bigger target before attacking, making it more likely to be from an organized group."
A Cautionary Tale
Despite the success of Venn Network's researchers in neutralizing the threat, the attack serves as a stark reminder of the ongoing risks facing the cryptocurrency ecosystem. As Cointelegraph noted earlier, crypto security is no longer just about protecting individual users, but also about safeguarding entire ecosystems and networks.