On 22nd January, Concentric.fi was exploited leading to losses of over $1.85 million. The wallets that conducted the attack have been doxxed as the OKX exploiter. Concentric announced on X that their protocol was attacked due to a targeted social engineering attack leading to the compromise of one of their teams admin wallets. From there the attackers were able to upgrade Concentric vault contracts with a malicious implementation leading to losses in liquidity pools as well as users who had approved Concentric contracts. This attack has pushed the overall losses in January to above $44.6 million.
On 22 January 2024, Concentric posted a warning on their X account that they had received reports of a security incident.
When examining the project’s contracts, CertiK identified a suspicious wallet that was repeatedly minting CONE-1 LP tokens and burning them, which withdrew funds from Concentric liquidity pools. We can see an example of this in the below screenshot.
The Concentric team later announced that the incident was due to a private key compromise of one of their admin wallets, which was used to transfer ownership to 0x3F06 which then upgraded the Concentric liquidity pools to malicious pools controlled by the attacker. This enabled the attacker to mint a large amount of LP tokens and withdraw ERC-20 tokens. The ERC-20 tokens were swapped for ETH and transferred to the following 3 wallets which confirmed a link to the OKX exploiter:
0xFD681A9aA555391Ef772C53144db8404AEC76030
0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d (Doxxed as OKX Exploiter 2 on Etherscan)
0x17865c33e40814d691663bC292b2F77000f94c34
Additionally, 0xc62A25462A61f02EBAB35Cd39C5E9651426e760b was able to steal users funds that spending approved on Concentric contracts. The stolen funds were swapped for ETH and transferred to 0x5c0e945fc1c83d8d10e9c6366e2cbc5241532aec totalling $154,406.53 at the time of writing. In total, the losses equate to $1,851,668.89 making it the 9th largest attack this month.
From the malicious wallets that CertiK identified, we can confirm that the Concentric.fi exploiter is linked to two other exploits; the OKX exploit and the UnoRe. The Concentric exploiter transferred funds to wallets doxxed as the OKX exploiter, as well as being funded by a wallet linked to the UnoRe exploit earlier in 2023.
On 13th December OKX announced that the owner wallet of an abandoned OKX DEX market marker contract leading to the loss of approximately $2.7 million. Additionally, 0x5A58D1a81c73Dc5f1d56bA41e413Ee5288c65d7F who funded the Concentric wallet is linked to the UnoRe exploiter.
An overview of the exploit can be found below.
The new implementation contained code that burned CONE-1 from 0x60d8 and minted it to 0x105f.
On top of the 715 ETH, EOA 0xc62a sent 65.4 ETH (~$155,503) to EOA 0x5c0E945Fc1c83D8d10E9c6366E2cBC5241532AEc bringing total losses to a little over 780 ETH, approximately $1.85 million.
The attack on Concentric is another example of how traditional social engineering attacks can have such a devastating impact on project’s in the Web3 ecosystem. Whilst we traditionally see phishing and social engineering tactics employed by scammers deploying wallet drainers, the same methods can be used to take over a project. So far in 2024, we have seen $28.9 million lost due to phishing and private key compromises, which represents 63.5% of the overall losses in January. Such incidents also demonstrate the centralization risks that can be present in platforms that if abused can lead to serious losses. A security audit by CertiK highlights Centralization as a major risk which will help you manage risks when interacting with projects.