Inconsiderate crypto hackers persist during the crypto winter. The recent breach on FTX resulted in the loss of millions of dollars worth of crypto. Hackers gained access to a crypto trader’s FTX account by exploiting an API tied to the account’s trading platform.
The automated crypto trading bot company 3Commas issued a security notice following the attack. 3commas took action after detecting certain FTX API keys used to conduct illicit transactions for DMG crypto trading pairs on the FTX exchange.
FTX API exploited
A user first discovered that his account was trading DMG tokens more than 5,000 times before the hacking complaints surfaced. The customer afterward learned that over $1.6 million worth of Bitcoin, FTX token, Ethereum, and other cryptocurrencies had been stolen from their account.
Reports indicated this was not an isolated incidence, as there were three more victims. On its part, FTX said that the hack was related to the leakage of the API keys for the trading platform 3Commas.
Bruce, a second FTX user, revealed in an October 22 Twitter thread that he was a casualty of the FTX attack. He disclosed that he lost $1.5 million as a result of the October 21 incident. According to Bruce, he has never used or even heard of the 3Commas punctuation mark. In addition, I had never used the API key in the previous two years. I had never recorded the secret on paper.
In addition, he reported that on October 18th and 19th, malevolent players traded DMG using his account. He questioned why FTX had no risk management procedures in place for illegal trading.
3Commas exploit analysis
3Commas and FTX performed a collaborative investigation into user claims of fraudulent trades using DMG trading pairs on FTX. The duo determined that the DMG trades were conducted using new 3Commas accounts and that “the API keys were not obtained from the 3Commas platform but from outside of it.”
The investigation revealed that fraudulent websites posing as 3Commas were used to phish API keys from users as they joined their FTX accounts. The FTX API keys were then utilized to conduct the illegal DMG trades. Based on user activity, both FTX and 3Commas identified suspect accounts and stopped the API keys to prevent future losses.
3Commas also suspects API keys were stolen from users via malware and third-party browser extensions. In addition, 3Commas denied responsibility, stating several affected users have never been 3Commas customers and there is no chance the security incident originated with 3Commas’ services.
FTX users who have connected their accounts with 3Commas and have received a notification that their API is “invalid” or “needs upgrading” must generate new API keys. The trading-bot platform emphasized throughout the security notice that it was not responsible for customer data getting into the wrong hands.
To reiterate and clarify, there has been no breach of either 3Commas account security databases or API keys. “This is an issue that has affected multiple users who have never been customers of 3Commas, so there is no possibility that it is a leak of API keys originating from 3Commas.
3Commas
Users have the opportunity to generate a new API key on FTX and link it to their 3Commas account so that active trades are not interrupted. 3Commas is currently assisting the victims and gathering additional information about the hackers.
FTX teamed with Visa to distribute debit cards in 40 countries worldwide. The agreement enables FTX customers to pay for goods and services with debit cards that include “zero fees” and no annual fees. The market responded to the news by sending the FTX token up 7%, briefly reaching a price of $25.62.
Yet another crypto hack
OlympusDAO users experienced a momentary fright in the preceding hours. After a hacker stole 30,000 OHM tokens, equivalent to $300K, the funds were refunded. The hacker seems to be wearing a white hat and used a flaw in the smart contract for the new OHM Bonds product.
According to PeckShield, “BondFixedExpiryTeller contract’s redeem function does not correctly check input.” However, the blockchain security business stated that Bond Protocol wrote the problematic smart contract. After discovering the vulnerability, the DAO informed members of the hack via the Discord channel.
This morning, an exploit occurred through which the attacker was able to withdraw roughly 30K OHM ($300K) from the OHM bond contract at Bond Protocol. This bug was not found by three auditors, nor by our internal code review, nor reported via our Immunefi bug bounty.
Official announcement
OlympusDAO said that the affected funds were restricted because of the staggered implementation. The sum stolen is a small fraction of the $3,300,000 bounty the hacker might have earned if they had disclosed the vulnerability. The DAO team stated at the time that it had shut down the problematic markets and was now searching for ways to reimburse the affected users.
Crypto hacking is on the upswing and has consumed most of October. The crypto market is at its lowest point ever. More hacks threaten to destabilize the existing decentralized financial market. What can be done? Can crypto investors withstand additional losses?