At 09:40 am UTC, Dec 14, 2020, CertiK Skynet found a large transaction from Hugh Karp, the founder of Nexus Mutual, which transferred a total of 370,000 NXM tokens to an unknown account. The total value of tokens is approximately 8.33 million US dollars.
The CertiK security investigation team quickly launched an investigation and analysis and believed that the transaction was a targeted attack towards the account of Mr. Hugh Karp.
The attacker's account address is 0x09923e35f19687a524bbca7d42b92b6748534f25, and some of the tokens obtained by the attack have been traded at 1inch.exchange through the transaction 0xfe2910c24e7bab5c96015fb1090aa52b4c0f80c5b5c685e4da1b85c5f648558a.
Attack transaction hash: 0x4ddcc21c6de13b3cf472c8d4cdafd80593e0fc286c67ea144a76dbeddb7f3629
According to the official disclosure, after obtaining remote control of Hugh Karp's personal computer, the attacker modified the Metamask extension used on the computer and misled him to sign the transaction in Figure 1, which eventually transferred a huge amount of tokens to the attacker’s account.
Based on the current information disclosed, the CertiK team conjectured that when Hugh used Metamask as usual, the extension modified by the attacker generated the transfer request for the huge amount of token before Hugh signed the transaction with his hardware wallet.
The browser extension, as an application, is similar to the front-end of an ordinary web application. They are all written in HTML and JavaScript. Files of the browser extension are stored in the user's computer. Regarding the methods hackers used to modify the Metamask extension, the CertiK team made the following conjectures:
- The hacker gained control of Hugh Karp's personal computer, opened the browser through the remote desktop and directly installed the modified Metamask extension.
- The hacker found the installation path of Metamask extension on Hugh Karp's personal computer, modified the code, and loaded the modified extension into the browser after the modification.
- The hacker modified the browser extension with the built-in command line tool.
The official disclosure mentioned that Hugh Karp used a hardware wallet. Although the specific model was not revealed, it should be Trezor or Ledger, which are the only two supported by Metamask. In the case of using a hardware wallet, transactions in Metamask need to be confirmed and signed with the private key in the hardware wallet.
When Trezor or Ledger confirms the transaction, the recipient's address will be displayed on the hardware screen for the user to confirm. In this attack, the hacker should not be able to modify the displayed address on the hardware screen. It is speculated that when Hugh Karp made the final confirmation on the hardware wallet, he did not notice that it was the address of the hacker.
The importance of insurance is fully illustrated by this incident that the account of the founder of a blockchain insurance platform was attacked. No matter who you are and what role you play, hackers will not bypass you in the blockchain network because of your fluke. Security incidents are possible for everyone.
The CertiK security verification team suggests the following security measures based on this attack:
Any security system and operating environment requires not only program security verification, but also professional penetration testing to verify the security of the overall product.
In order to prevent the loss of digital assets from any non-technical reasons, the project team should purchase insurance for their products/solutions in a timely manner so that there will be multi-level protections for the project and investors, and the loss from any attack can be compensated in time.
Reference :
News source: https://www.coindesk.com/ceo-of-defi-insurer-nexus-mutual-hacked-for-8m-in-nxm-tokens
The official tweet: https://twitter.com/NexusMutual/status/1338441873560571906
Hugh Karp personal computer system: Windows (Not being disclosed by the official)
Hugh Karp personally response to the tweet: https://twitter.com/NexusMutual/status/1338455595763036160
