August saw several hacks in the crypto space that are worth taking a closer look at and learning from.
First, there was a bridge hack, Nomad, then there was a Solana wallet hack, Slope, and finally a dex hack, Curve.
Nomad is a decentralised cross-chain bridge protocol supporting asset transfers across five chains: Avalanche, Ethereum, Cosmos, Cardano and Polkadot. Nomad was the 6th largest Ethereum bridge holding just under $170M of value.
A flaw in a Nomad smart contract allowed users to spoof transactions and withdraw money from an open vault on the bridge. That opened the door to hundreds of hackers who copy-pasted the transaction call data used by the original hacker.
Can this happen with the bridge used for POWR staking?
In the case of the bridge used for POWR staking, the transactions cannot be spoofed because the bridge only accepts transactions that have been confirmed by the Ethereum chain. Learn more about bridge security from our earlier blog post.
Solana wallet provider Slope has been identified as the source of a hack in which attackers stole an estimated $8M in USDC, SOL and other crypto assets.
In the Slope hack, private keys were inadvertently transmitted to an application monitoring service, meaning that the quality of the code that was released was poor.
Can I still use a Phantom wallet for POWR staking?
While almost 8,000 wallets from multiple providers were affected, including Phantom, researchers linked the attackers’ theft to Slope’s integration with Phantom, and not to vulnerabilities in the Phantom wallet. So yes, if you used a new seed phrase when setting up your Phantom wallet, it should not be exposed. However, Powerledger recommends you use a hardware wallet to stake. Our FAQ guide explains how.
Curve website hack
Curve Finance is a decentralized exchange for trading cryptocurrency that focuses on stablecoin trading. It is an automated market maker (AMM) that maintains low fees and slippage through the use of liquidity pools.
Attackers managed to clone the Curve Finance website and rerouted the DNS server to the fake page. DNS is the Domain Name System which is the Internet’s phonebook, allowing visitors to access webpages, such as stake.powerledger.io. Curve believes its DNS server provider was hacked, which allowed the hackers to reroute the users to a different smart contract and then drain their funds into a pool operated by the attackers.
Can this happen when staking POWR?
There are a couple of ways this attack can be replicated. Someone can post a fake website address on social media trying to redirect visitors to a fake website. When staking, always make sure you are accessing stake.powerledger.io. Watch out for any variation in spelling or punctuation marks that should not be there.
Finally, a DNS provider can be hacked, as was the case with Curve, which is why Powerledger uses a well-known Amazon Web Services, as our provider.
These 3 hacks in August showed us that there are multiple opportunities to lose money in the crypto DeFi world. As a crypto user, there are a couple of things that go a long way to protecting your assets: safeguarding your seed phrase (ideally by using a hardware wallet), verifying a URL each time you access a website, and confirming that the project you are about to use has passed one or more audits.
Disclaimer: Powerledger does not provide financial advice, we recommend seeking independent financial, tax and legal advice prior to purchasing any cryptocurrency.
Sign up for our newsletter - full of great insights and market updates.