Try Quests to earn AVAXSteadeFI Hack
On August 7th more than $1M in Assets were stolen by a hacker
- The hacker drained different vaults from the SteadeFI Protocol, in both Arbitrum and Avalanche Blockchains.
- The stolen assets were swapped for $ETH and then bridged to Ethereum.
- A total of 624 $ETH was sent to another wallet which proceeded to transfer the $ETH to Tornado Cash and make it untraceable.
How the Hacker exploited SteadeFI?
According to the official announcement of the Protocol:
Findings from Initial Investigations
Two primary points of failure
1) Malware injection from a targeted social engineering attack
On 17th June 2023, in a telegram chat conversation started between Steadefi management and the “Spirit Blockchain Group”, a front for a fund looking to invest into crypto projects.
From this chat group, a file was downloaded and opened and a malware was likely injected.
On 28th June 2023, based on the Metamask logs and verified by the Metamask team, Jeff’s Metamask seed phrases (which include the sole deployer account) were copied.
Please note that this is part of an ongoing investigation and we do not have direct evidence of the malware copying the seed phrase
2) Lack of attention to proper operational security processes
The deployer account had too many permissions as an owner of all contracts.
There was no process in place to transfer ownership of deployed contracts to a multisig account with enough trusted signers.
How SteadeFI will Proceed?
SteadeFI offered the perpetrators a 10% bounty of the funds stolen if they returned the remaining 90% before August 10th at 08:00 UTC without pursuing legal action.
In case the perpetrators didn't respond, the bounty will be expanded to the public offering 10% to the person who is able to identify the hacker in a way that leads to his conviction in the courts.
However, there wasn't any communication from the Hackers, and SteadeFI has only announced their plans for a Reimbursement to the affected users in USDC but it will take a bit until is available.
