DeFi
Hacker Used Same Bug to Exploit Other Crypto Exchanges Weeks Ago – DL News
- There is a new twist in the CertiK hacking saga.
- Onchain records show that at an earlier date, someone attempted to exploit the same bug the listener discovered in Kraken.
The bug that Kraken said it fixed had been used to exploit other centralized exchanges as early as last month, according to several crypto security experts.
This is the latest development in the saga of two major crypto players, US exchange Kraken and auditor CertiK.
On Wednesday, Kraken said it had fixed a “critical” bug that allowed millions of dollars in crypto to be mistakenly withdrawn from the US-based exchange.
CertiK came under fire after admitting to being behind the exploitation of this bug. The company withdrew $3 million from Kraken over several days in early June.
After a public exchange, CertiK returned all the funds it had taken and called their actions a white hat operation, meaning they ostensibly acted as ethical hackers with the intent of identifying and fixing security vulnerabilities rather than exploiting them for malicious purposes.
Onchain records first identified by the Hexagate security platform, and confirmed to DL News by several other security researchers, show that a hacker attempted to exploit other crypto exchanges – Binance, OKX, BingX and Porte.io — using the same bug from May 17.
These attempts took place three weeks before CertiK announced that it had found the bug on Kraken on June 5.
“We have no evidence that these exchanges were affected,” Hexagate posted on X. “We have only traced on-chain evidence of similar activity.”
Join the community to receive our latest stories and updates
Centralized crypto exchanges hold a gargantuan amount of crypto on behalf of their clients. The top five crypto exchanges that have publicly disclosed their wallet addresses hold a total of $172 billion worth of crypto, according to DefiLlama. data.
CertiK did not immediately respond to DL News” request for comment.
Exploit attempts
Records uncovered by Hexagate show that a hacker attempted to use a so-called “kickback” attack to trick centralized exchanges into withdrawing funds.
To do this, the hacker created a smart contract containing a transaction to deposit funds on a centralized exchange. The contract is designed in such a way that the main transaction is successful but the deposit is returned.
This makes the exchange believe that a user has deposited funds when they have not. The hacker then requests a withdrawal from the exchange, debiting the amount of the fake deposit.
Onchain records show several attempts The use of such a contract when depositing funds to Binance took place on BNB Chain on May 17.
Between May 29 and June 5, the same address, as well as another funded by it, made similar attempts on OKX, BingX and Porte.io on BNB Chain, Arbitrum and Optimism.
Is CertiK involved?
Although CertiK first publicly disclosed the backdoor attack, there is no evidence that it was involved in these previous attacks.
Smart contract functions each have a signature hash by which they can be identified.
In the case of the reversion attack contract, the signature hash is not available, meaning the function name is not publicly known, said a security researcher who wished to remain anonymous. DL News.
This means that the function name for the fallback attack is known to CertiK or someone else also used the exact same name, the researcher said.
Tim Craig is DL News’ DeFi correspondent based in Edinburgh. Contact him with advice at tim@dlnews.com.