At 5:40 p.m. on December 14th, Beijing time, CertiK Skynet monitoring discovered a huge transaction from the account of Nexus Mutual founder Hugh Karp, which transferred a total of 370,000 NXM tokens to an unknown account.
The CertiK security verification team quickly launched an investigation and analysis, and believed that the transaction was a hacking attack on Hugh Karp's account.
By the way, I calculated it for everyone
The whole attack process is as follows:
process
The whole attack process is as follows:
text
0x09923e35f19687a524bbca7d42b92b6748534f25
Part of the attack to obtain tokens has already passed the transaction
0xfe2910c24e7bab5c96015fb1090aa52b4c0f80c5b5c685e4da1b85c5f648558a traded on 1inch.exchange.
text
0x4ddcc21c6de13b3cf472c8d4cdafd80593e0fc286c67ea144a76dbeddb7f3629
image description
According to the official disclosure details, after gaining remote control of Hugh Karp's personal computer, the attacker modified the Metamask plug-in used on the computer and misled him to sign the transaction in Figure 1-this transaction eventually transferred a huge amount of tokens to the attacker in the account of the recipient.
Based on the existing information, the CertiK team speculated that when Hugh used Metamask daily, the plug-in modified by the attacker generated a transfer request for this huge amount of tokens, and then Hugh signed the transaction with his hardware wallet.
As an application, the front-end composition of browser plug-ins and ordinary websites is similar, and they are all built with HTML and JavsScript. The code for the browser plug-in will be stored on the user's computer.
Regarding how the hacker modified the Metamask plugin, the CertiK team made the following guesses:
1. After gaining control of Hugh Karp's personal computer, the hacker opened the browser through the remote desktop and directly installed the modified Metamask plug-in.
2. The hacker found the installation path of the Metamask plug-in on Hugh Karp's personal computer, modified the code in it, and loaded the modified plug-in into the browser after the modification was completed.
3. Hackers use the browser's built-in command line tools to modify the plug-ins installed in the browser.
The official details mentioned that Hugh Karp used a hardware wallet, but did not specify which hardware wallet it was.
It should be one of Trezor or Ledger, because Metamask only supports the above two hardware wallets.
In the case of a hardware wallet, transactions in Metamask need to be confirmed in the hardware wallet and signed with a private key stored in the hardware wallet.
At present, when the above two hardware wallets confirm the transaction on the hardware, the transfer acceptance address will be displayed on the hardware screen for the final confirmation of the user.
In this attack, the hacker should not be able to modify the address displayed on the transaction confirmation interface on the hardware screen. Therefore, it is speculated that Hugh Karp did not notice that the object of the transaction was the hacker’s address when he made the final confirmation on the hardware wallet.
safety advice
safety advice
The account of the founder of the blockchain insurance platform was attacked, which shows the importance of insurance.
The high-density outbreak of hacking incidents is a warning.
In the network world of the blockchain, no matter who you are or what role you have, hackers will not bypass you just because of your luck, and losses caused by security accidents may happen to everyone.
And even if you use a hardware wallet, it is impossible for a person to be 100% free from making mistakes for a lifetime.
textA series of articles published by CertiK some time ago【】Precisely expounds the indispensability of insurance.
Based on this attack, the CertiK security verification team puts forward the following security recommendations:
1. Any security system and operating environment requires not only program security verification, but also professional penetration testing to verify the overall product security.
text
Welcome to search WeChat [certikchina] and follow CertiK's official WeChat public account, click on the dialog box at the bottom of the public account, leave a message to get free consultation and quotation!
