The Fantom Foundation, a leading entity in the decentralized finance (DeFi) landscape, offers a blockchain platform optimized for DeFi and crypto dApps. However, it recently faced a major security breach, resulting in a $7.5M loss.
Behind the Breach
Over $7M was drained from multiple wallets associated with the Foundation. While initial reports suggested that the Foundation itself was the primary victim, further investigations revealed a different story. The breach predominantly affected an employee of the Fantom Foundation. However, the Foundation did not remain unscathed, acknowledging a direct loss of $550k.
The attackers targeted at least 12 addresses across five different chains: ETH, FTM, OP, BSC, and AVAX.
The attacker's addresses:
Root Cause Analysis
While the exact attack vector remains unclear, certain details have come to light. The attack seems to have been a result of a compromised password manager, possibly LastPass. The rapid draining of multiple associated addresses in quick succession lends credence to this theory.
An initial statement from a Fantom Foundation Telegram admin hinted at a "zero-day exploit on Chrome." However, as more details emerged, this explanation appeared less plausible.
Track Record of Breaches
This isn't the first time the Fantom Foundation has been under the hacker's lens. Earlier in February 2023, during the launch of a new stablecoin, USP, the protocol suffered a massive blow with hackers stealing over $8.5M through a flash loan attack. Another incident in July 2023 saw the protocol temporarily pausing their pools due to "suspicious activities," which later turned out to involve multiple flash loan attacks.
Lessons from the Incident
Projects are starting to become more and more aware of the risks of not appropriately securing and auditing contracts, but this hack shows once again that smart contracts are only a part of a project's attack surface. It seems like, well known Web2 security practices like secure password management have been forgotten. A more holistic security shift needs to happen within the industry, where not only smart contracts are secured, but also wider IT assets, including employee passwords.
Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit https://rivanorth.com/ to find out more.
You build the future. We help you secure it.