MM. Finance revealed that hackers stole $2 million in digital assets in a Domain Namer System (DNS) attack.
These attacks entail hackers targeting the availability or stability of a network’s DNS service. The team at MM.Finance—which claims to be the largest decentralised finance ecosystem on the Cronos blockchain— said the hacker managed to “ “inject a malicious contract address into the frontend code.”
“Attacker used a DNS vulnerability to modify the router contract address in our hosted files. Resolving this issue takes precedence above all. We understand that some of you have lost significant funds and are filled with worries and panic,” the company said in a post-mortem on Medium.
Users who used the MM.Finance site, starting on May 4, lost funds after swaps or adding and removing liquidity.
“When victims navigated to mm.finance to remove liquidity, the malicious router kicked in and the LPs were withdrawn to the attacker’s address,” the company explained.
The attacker stole more than $2 million in cryptocurrency before laundering it through Tornado Cash; tornado cash provides services that help customers to hide their origin of funds.
The company is forming a compensation pool for the affected people, and the team said it would be forgoing its share of trading fees to compensate the affected people. The compensation pool will run for 45 days, and the company will compensate those who lost cryptocurrency.
The company will hire a security company to check their DNS configurations and remove two of their service providers from their deployment stack to limit their potential attack surface, the company stated.
We take this attack vector seriously, and will ensure to do our best moving forward to eradicate such vectors,” the company added.
In follow-up messages on Twitter, the company said it traced the stolen funds to the OKX exchange, threatening to call the FBI if the funds were not returned. The CEO of OKX said it is investigating the issue.
“Unethical as your actions are, we concede that there is a certain mad brilliance behind your design. So here’s the deal, return 90% of the funds you stole and we will let this go, no questions asked. You have 48 hours to return these funds. Straight up, this is a win-win-win for us (time), you(risk and reward) and community(recovery of stolen funds),” MM.Finance wrote on Twitter on Thursday.
“Should you decline, we’ll just sleep less and escalate this, a cost that we at MM are already so very used to. Your move.”