Cronos DeFi Project MM.Finance Suffers $2M Exploit
The attacker injected a malicious contract address into MM.Finance's frontend and stole about $2 million from unsuspecting users.
- MM.Finance, the biggest decentralized exchange on Cronos, suffered a $2 million cyber attack late Wednesday.
- The attacker leveraged a DNS vulnerability and injected a malicious contract address on the project website's frontend to divert funds to their own wallet.
- MM.Finance says it has traced the perpetrator to the OKX exchange and warned that it will contact the FBI if the 90% of the funds are not returned within 48 hours.
Share this article
Mad Meerkat Finance, the largest ecosystem of DeFi applications on the Cronos blockchain, has been exploited for around $2 million.
MM.Finance Suffers $2M Frontend Attack
The biggest decentralized exchange on Cronos has been hacked.
MM.Finance, an ecosystem of DeFi applications and the biggest decentralized exchange on the Cronos blockchain, has suffered a $2 million frontend attack. The project reported the incident late Thursday after the attacker breached the app’s frontend and started moving funds to their address.
We have verified and theres a frontend breach. Please do not perform any transactions or your funds will be sent to the exploiter wallet. We will be disabling the frontend ASAP.
— MM.Finance – #1 Defi Ecosystem on #Cronos (@MMFcrypto) May 4, 2022
“We have verified and theres a frontend breach. Please do not perform any transactions or your funds will be sent to the exploiter wallet. We will be disabling the frontend ASAP,” MM.Finance tweeted. According to a post-mortem report published by the project earlier today, the attacker leveraged a DNS vulnerability to modify the router contract address in the project’s hosted files and injected a malicious contract address into the project website’s frontend. The malicious contract then diverted the funds to the attacker’s wallet when anyone tried to make a swap, add, or remove liquidity on MM. Finance’s decentralized exchange. On-chain data shows that the hacker stole around $2 million worth of crypto assets before MM.Finance detected the exploit. Almost immediately after stealing the funds, the perpetrator bridged them over to Ethereum using the cross-chain routing protocol Multichain and deposited them to Tornado Cash—a privacy-preservation tool that helps users hide their transaction history.
MM.Finance said this morning it had already traced the attacker back to the centralized exchange OKX, which makes users go through a KYC procedure when they register. KYC, which stands for “know your customer,” is a process that requires financial institutions like crypto exchanges to gather customer data such as birth names and identification. That means unless the assailant used fake IDs when signing up on OKX, the exchange likely has a way of tracking their real identity.
“We have traced your funding to OKX exchange,” said MM.Finance, before warning the hacker that it would contact the FBI if they didn’t return 90% of the stolen funds within 48 hours. “With all these information, we have more than what we need to bring this information to the @FBI,” they said. “Should you decline, we’ll just sleep less and escalate this, a cost that we at MM are already so very used to. Your move.” It has since confirmed that all affected users will be reimbursed for any lost funds, while OKX CEO Jay Hao has stated that his team is investigating the incident.
Based on data provided by DeFi Llama, MM.Finance hasn’t lost a significant amount of liquidity, with the total value locked still hovering around $802 million. Interestingly, the project’s native token MMF hasn’t taken a big hit either, which is uncommon for freshly exploited protocols. The token recouped its losses after a small initial drawdown and is currently trading only 0.1% down on the day.
Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.