It all began last night, around 8 PM (GMT), on Convex Finance.
The hack that occurred to the detriment of the DeFi Convex Finance platform
The report came from Twitter, from a core team member of PieDAO, a well-known DeFi project dealing with tokenized funds.
During a transaction, the user noticed that the Convex website was leading him to use an unverified contract, which later turned out to be malicious.
This immediately set off the reporting tweet to alert the protocol team in question and try to shed light on the issue.
What is this unverified contract ? 0xF403a2c10B0B9feF8f0d4F931df5d86aD187AE31@ConvexFinance website is asking for approval for that but the correct one is 0xF403C135812408BFbE8713b5A23a04b3D48AAE31
4 Starting/Ending Characters are the same.
— alexintosh.eth | I’m hiring (@Alexintosh) June 23, 2022
The contract was particularly suspicious because it was unverified, had recently been created, and the initial and final four letters were the same.
This is a reminder that in order not to take risks, it is absolutely necessary to verify the entire address, every single letter, not just the beginning and the end.
It is worth remembering the importance of this step, before approving a transaction, since the most dangerous attacks are precisely those that use vanity addresses, i.e., addresses that look very similar to the real ones but are actually scams in their own right.
This is an attack that exploits people’s lack of caution!
The response of the Convex team together with important auditors from the crypto scene
The report immediately attracted the attention of a number of prominent security researchers, including the well-known SamCzsun.
The Convex team and auditors thus began investigating the source and extent of the problem.
Convex quickly reassured the community by explaining that the official protocol contracts were not in jeopardy, but that the issue affected only those addresses that had mistakenly approved that contract. The addresses fortunately turned out to be only five.
– Issue is remediated at this time, but investigation is ongoing. Full post-mortem to follow.
At this time, 5 addresses seem to have approved malicious contracts (in the tweet below). If you are the owner of one of these addresses, please reach out via Twitter DM or Discord.
— Convex Finance (@ConvexFinance) June 23, 2022
The first report triggered a series of checks that led to the tracing of at least 10 more malicious contracts like that one.
At the time of writing, the tally of what the hacker managed to steal is about 220 ETH.
Ribbon Finance appears to have suffered the same attack.
Analysis is still ongoing. Unfortunately, it appears that the hacker had not only targeted the Convex platform, but also Ribbon finance.
Simple steps to minimize the possibility of being hacked
- Use a hardware wallet and ideally have a PC only to manage your crypto positions;
- Try to interact only with protocols that have proven to be trusted over time;
- Use all tools intentionally, having first understood and learned how they work;
- Having a technical background, avoiding exploiting DeFi products in self pilot, is perhaps one of the most powerful weapons we all have at our disposal.
DeFi offers incredible opportunities, but by its nature it requires its users to be aware of what they are doing in this world. We must remember that everyone is responsible for their own money-“Be smart, know what you are doing.”
Approving a contract is one of the most dangerous things so it is necessary for the user to do the proper checks before finalizing the transaction.
It is wise, in fact a must, to check the official documentation of the protocol you are using.
If a contract is not verified and has only been created a few days ago it is generally a bad sign, a big red flag.
Alexintosh, the user who started this cascade of reports, concludes the interview by saying:
“One has to understand that DeFi is a PvP world (Player vs Player) and therefore it is necessary to study how best to protect oneself from other users, from potential hackers in the system”.