$55M DeFi Saver phish, copy2pwn hijacks your clipboard: Crypto Sec

by skolnes


Voiced by Amazon PollyVoiced by Amazon Polly

Crypto scams, hacks and exploits and how to avoid them: Crypto-Sec

Phish of the Week: DeFi Saver user loses $55 million in DAI

A user of decentralized finance management protocol DeFi Saver suffered an unusual style of phishing attack on Aug. 21. According to an X post from blockchain security firm Global Ledger, the attacker tricked the user into reassigning ownership of their DeFi Saver Proxy contract.

The victim reportedly attempted to perform a transaction soon afterward, but it failed. The attacker then changed ownership again and drained the smart contract wallet of all of its Dai (DAI) stablecoin, removing over $55 million worth in total.

Global Ledger post to X about DeFi Saver phishing attackGlobal Ledger post to X about DeFi Saver phishing attack
(Global Ledger)

Blockchain data shows that the DAI came from the null address rather than from the victim’s address, implying that the attacker must have minted the DAI using the victim’s collateral instead of directly draining it from the victim’s account. 

The victim’s smart contract wallet is labeled “DSProxy #166,776” on Etherscan. On Aug. 20, the account owner called the “Set Owner” function and listed a malicious phishing account as the new owner. The owner was likely tricked by a malicious web app into approving this transaction. It was a costly mistake, as the victim is now $55 million poorer.



Web3 users should consider carefully inspecting contract addresses before approving transactions. Many protocols list their official contract addresses in their documents, and users can check these addresses to make sure the one they are about to interact with is listed there. This can often save users from losing funds due to phishing attacks, although no security method is 100% foolproof.

DeFi exploits: iVest announces shutdown after $156K lost

Decentralized finance (DeFi) protocol iVestDAO announced that it will not be able to reopen after suffering from a $156,000 exploit. The protocol had previously stated that it would compensate investors and reopen at a later date. However, the iVest’s Telegram admin told Cointelegraph on Aug. 15 that it is shutting down.

“Unfortunately, we are not able to continue operations and are shutting down the project and refunding our holders out of our own pockets,” the admin stated, calling this development “a tragic event.”

In a public statement on the protocol’s website, iVest claimed that the team is “refunding our holders out of our own pockets.” However, the totality of funds “is not recoverable and there is no method to replace it back to 100% with the personal funds available to the team.”

The team stated that it was “hurt and defeated,” but would “pick up the pieces and move on with our lives.”

iVest was exploited via a ‘null address’ donation attack on Aug. 12.

Malware Corner: Copy2pwn bypasses Windows Smart Screen

A new exploit, called “copy2pwn,” is being used by malware operators to bypass protections in the Windows Smart Screen program, according to a report from SecurityWeek. The vulnerability has been patched in the latest version of Windows, but some devices may not have been updated yet and may still be at risk.

The exploit could potentially be used to install malware, leading to the loss of private keys in software wallets.

Read also


Features

Here’s how Ethereum’s ZK-rollups can become interoperable


Features

Can Crypto be Sweden’s Savior?

Copy2pwn was disclosed in CVE-2024-38213 and reportedly discovered by Trend Micro’s Zero Day Initiative. It utilizes the Web-based Distributed Authoring and Versioning (WebDAV) protocol in Windows, which is intended to make it easier for users to share and edit web-based content.

However, cybercriminals discovered that the content hosted on WebDAV shares was failing to gain a Mark of the Web flag, allowing it to bypass Smart Screen protections.

According to the report, malware operators have been using copy2pwn to install DarkGate on users’ devices. DarkGate is a sophisticated malware program that is difficult to detect and efficient at stealing data, according to cybersecurity firm Socradar.

Crypto users who rely on Windows Smart Screen for malware protection should consider upgrading to the latest version of Windows as soon as possible.

Clipboard hijacking hits hackathon participant

Porter Adams, software engineer for ZKsync network developer Matter Labs, ran across crypto-stealing malware in an unusual place on Aug. 25; on the PC of a fellow hackathon participant.

Adams posted a video of the reported incident on X.

Porter Adams post to X about clipboard hijacking malwarePorter Adams post to X about clipboard hijacking malware
Source: Porter Adams.

The participant was attempting to send Ether (ETH) on the Sepolia test network to a particular address. However, Adams discovered that the person’s device was infected with clipboard-hijacking software.

Whenever the user attempted to copy and paste a crypto address, the malware would paste its developer’s address instead, causing the user to send crypto to the wrong address and lose it forever.

Luckily, the participants were using a testnet with ETH that had no real value. But had the participant gone home and made real crypto transactions with this device, they could have easily lost all of their funds. “I saved a hackathon participant from malware today,” Adams stated in his post.

When cutting and pasting addresses, crypto users are advised to check the address pasted to make sure it is the same as the one they intended to copy. If it turns out to be a different address, the device may be infected.

Christopher Roark

Some say he’s a white hat hacker who lives in the black mining hills of Dakota and pretends to be a children’s crossing guard to throw the NSA off the scent. All we know is that Christopher Roark has a pathological desire to hunt down scammers and hackers.

Source Link

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.