Table of Contents
Key Takeaways:
- MM.Finance was hacked on May 5th, where the hacker managed to inject a malicious contract address into the frontend code, and approximately $2M USD+ worth of digital assets has been compromised and bridged over to the ethereum network via multichain followed by Tornado Cash.
Below is a quick overview of this project.
MM.Finance is the largest ecosystem on Cronos with its DEX, Yield Optimizer, NFT, Algo Stablecoin & DTF. They have the lowest trading fees on Cronos Chain at 0.17%. On top of that, they were to introduce Protocol Owned Liquidity (POL) into their ecosystem on Cronos.
What was the Team’s Response to the Attack?
As soon the team was notified of the attack, they have tweeted that, We have verified, and there’s a frontend breach. Please do not perform any transactions or your funds will be sent to the exploiter wallet. We will be disabling the frontend ASAP.
MM.Finance team has advised its users to revoke access to contract, i.e., 0xbd872533Db178Ff7657Bf0057f25ABC4Ff6f904c using https://app.unrekt.net/. Users should connect their wallet and search for this contract to revoke if they have used any functions on their sites during the last 2 hours of the attack.
The team has released some guidelines for the users to follow while performing swaps. Firstly, they should perform a hard refresh of the site using CTRL-SHIFT-R or CMD-SHIFT-R. Secondly, when performing swaps, users should see a confirmation dialog that shows the router address as shown in the image below: 0x145677FC4d9b8F19B5D56d1820c48e0443049a30. Finally, for extra safety, add the router contract to the address book so that users will be sure that this is indeed the correct router.
How did the attack occur?
Hacker has used a DNS vulnerability to modify the router contract address in their hosted files. This resulted in users who interacted with MM.Finance site, which started from May 4th, 07:28 PM UTC to lose funds on performing: Swaps, Adding liquidity and Removing liquidity.
When victims navigated to mm.finance to remove liquidity, the malicious router kicked in, and the LPs were withdrawn to the attacker’s address. Here is the link to the attacker’s address: https://cronoscan.com/address/0xb3065fe2125c413e973829108f23e872e1db9a6b.
How was the Issue Resolved?
The team will be removing two service providers from their deployment stack, reducing the attack vectors significantly. Most importantly, All smart contracts are safe, and all users’ funds are SAFU. This means that all MM Ecosystem tokens are not affected.
The team will set up a compensation pool for those who are affected. They will forsake their dev share’s of trading fees and purchase MUSD with all these trading fees. They will then place all MUSD into a compensation pool to allow users to claim. A snapshot will be done shortly, and the amount in USD which was lost will be tabulated so that everyone can be fairly compensated. All affected wallet addresses will be added to the compensation pool. This compensation pool will run for 45 days.
What is Team doing now?
The team has been investigating the on-chain transactions & also engaged partners in escalating this in terms of real-world consequences. They have traced the hacker’s funding to the OKX exchange. Here is the link to the hacker’s funding: https://cronoscan.com/address/0x3fbaf5eeb4850af492a66807ff7fd7210deee7e3. As we can see, it is mapped to cro1ukvuw3qzjtt8wg5hsze4f2c3c8xqvtwgcnxah2.
Here is the actual funding transaction: https://crypto.org/explorer/tx/0C7193F9E2D8FAE789A4B21DBC554D942329A5DA8734541563F339867740527B. Here is the mapped 0x address to the underlying address. Here is the link to the tool used: https://crypto-org-chain.github.io/cronos-address-webtool/.
Now, the team wants to involve the FBI with all this available information. So they have told the hacker to return 90% of the stolen funds, and they will let him go with no questions asked.
As crypto hacks are increasing nowadays, our readers should stay alert.
