Cryptohack Roundup: GDAC, Yearn Finance, SushiSwapAlso: FTX's 'Egregious' Cybersecurity Failures; Treasury Assesses DeFi Risk
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. In the days between April 7 and April 13, hackers stole $14 million from South Korean crypto exchange GDAC, $11.6 million from Yearn Finance and $3.3 million from SushiSwap. FTX's latest bankruptcy report detailed its "egregious" cybersecurity failures, and the U.S. Department of the Treasury warned DeFi to shape up. Also, Calgary set up a cryptocurrency cybercrime unit, and Euler Finance began the process of compensating hack victims.
Crypto exchange GDAC on Wednesday said a hacker had drained nearly $14 million from the South Korean company's platform, forcing a two-week pause in transactions. The thief on Sunday morning hacked GDAC's hot wallet to steal 23% of the company's total custodial assets, CEO Seung-hwan Han said on the day of the hack, but did not offer technical details. "All assets currently held by GDAC are fully covered and preserved," he said, adding that law enforcement authorities are involved in the investigations.
A hacker exploited a vulnerability in a token issued by decentralized finance protocol Yearn Finance on Thursday to steal about $11.6 million, security firm PeckShield said. The exploit occurred on Aave version 1, an open-source liquidity protocol the company uses. "We need to clarify that the root cause is due to misconfigured yUSDT, not related to Aave," PeckShield said in a follow-up tweet.
Decentralized crypto exchange SushiSwap suffered a multimillion-dollar hack on Sunday, after a hacker exploited a smart contract bug, security firm Ancilia said. The vulnerable contract aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins. Only users who used the service between March 29 and April 1 were affected, DefiLlama pseudonymous developer 0xngmi said. The hack seems to have resulted in Sifu, a popular crypto advocate, losing ETH worth $3.3 million, PeckShield said.
A report from FTX replacement CEO John Ray III filed Sunday in the fallen cryptocurrency platform's ongoing bankruptcy case shows the company lacked basic security controls to protect crypto assets. Among its many failures: It lacked a CISO, kept virtually all of customers' assets in internet-accessible hot wallets, stored private keys in plain text, and did not use multi-party computation controls.
"FTX Group grossly deprioritized and ignored cybersecurity controls, a remarkable fact given that, in essence, the FTX Group's entire business - its assets, infrastructure, and intellectual property - consisted of computer code and technology," the report states.
U.S. Department of Treasury Report
The U.S. Treasury Department published a report recommending strengthened regulatory supervision over decentralized finance. DeFi services often do not implement anti-money laundering controls, and cybersecurity tends to be poor, the report says. Regulators should conduct industry outreach to "further explain how applicable regulations apply to DeFi services, in line with previously issued regulations and guidance," it says.
The report is a watershed moment, said Ari Redbord, former Treasury executive and head of government affairs at TRM Labs. "For the first time, [Treasury] says that if you are providing financial services - regardless of whether you are centralized or decentralized - then you likely have requirements under the Bank Secrecy Act," he said.
Calgary's Crypto Investigation Center
Police in Calgary, Canada, on Thursday said they will set up a training center with Chainalysis to assist law enforcement with cryptocurrency-related investigations. Calgarians reported a $13.9 million in financial losses from crypto crimes in 2022 and $3.2 million so far this year. Cryptocurrency scams are "vastly underreported due to the complex nature and investigative limitations," police said.
Euler Finance Update
Euler Finance announced repayment on Wednesday to victims of last month's $197 million flash loan exploit, after the hacker returned the majority of the stolen funds. The company set up a smart contract with all the returnable funds and has put in place a verification mechanism to ensure that the money is returned to the right users and to "confirm that the account holder agrees with the terms and conditions."