MM Finance website suffers hacker attack worth almost BRL 10 million

The website of MM Finance (MMF), the second largest decentralized exchange (DEX) of the Cronos protocol (CRO), with $802.89 million in total blocked value (TVL), was the target of a hacker attack last week. The attacker was able to inject a malicious contract address into the website’s front-end code. In this way, he was able to modify the site to a contract he had access to. As a result, users who contributed resources to the platform lost their funds. Last Wednesday (5), the team behind the platform published a post mortem on their Medium blog. In the post, they further detailed the attack and presented a compensation plan to users.

post mortem

In their post mortem, the team explained that the attack they suffered was a DNS-type attack. According to Kaspersky, this is a type of attack that exploits vulnerabilities in the domain name server to divert traffic from legitimate servers and direct it to false paths. According to the team, about $2 million in assets were compromised in the attack. The diverted funds were sent to the Tornado Cash mixer, a tool that mixes cryptocurrency transactions to make it difficult to trace the origin of the transferred funds. According to the report, when victims navigated to the website to remove liquidity, the malicious actor took action and tokens from LPs (Liquidity Providers) were sent to the attacker’s address.

“We understand that some of you have lost significant funds and are filled with worry and panic. That being said, at this point, the best thing we can do for all of us is to put emotions aside as much as possible and work together to overcome this hurdle,” said the MM Finance team.

Problem resolution

To address the vulnerability, MM Finance said it will hire security firms to analyze DNS settings. Additionally, it will remove two service providers, which should reduce attack vectors.

“This DNS attack has already occurred and our consequent actions will now nullify any potential follow-up attempts by this attacker. In other words, other than the price action that came from selling our malicious wallet tokens, there should NOT be any other consequential impact on our ecosystem coins.”

Also, the team reinforced that all smart contracts and user funds are safe. As for those users whose funds were stolen, the team said it will run a compensation plan. First, the team will waive the dev share trading fees and buy MUSD at these fees. It will then place all MUSD in a clearing pool to allow users to claim.

“A snapshot will be taken shortly and the USD amount you lost will be tabulated so you can be fairly compensated. Your wallet addresses will be added to the clearing pool. This compensation pool will run for 45 days.”

Analyst Felipe Escudero comments on attack

As highlighted by cryptoasset analyst and partners at O2 Research, Felipe Escudero, the attack on the site was very well done, making it difficult for even the most experienced users to identify the vulnerability:

“The hacker managed to direct all the assets that were deposited in the MMF pools to the mixer. Thus, the funds will be ‘rotating’ there until everything is ‘washed’. It was certainly very well orchestrated, starting from a very easy-to-exploit loophole in the frond-end in the dApp.”

In this sense, Escudero strongly recommended that all MMF users, who have interacted with a dApp contract in the last month, make a revocation in their wallet.

MMF token price

While the attack affected users’ funds, the price of MM Finance’s native token, MMF, has not been heavily impacted since the attack – which took place on May 4. Although it has retreated from $0.62 to $0.52 – down 16% – in some, in the last 24 hours, the price of the crypto asset has dropped about 2%, according to data from CoinMarketCap. At the time of writing, MMF is trading at $0.55.

MMF token price chart. Source: CoinMarketCap Read also: New move-to-earn token skyrockets over 100% in 7 days; get to know the project Read also: Understand why the biggest thefts of cryptocurrencies are in bridges Read also: Bitcoin continues its upward movement after FED decision. Ethereum, Solana, Polkadot, Avalanche and XRP even rise up to 6%