Back to all stories
Blogs
Incident Analysis
Concentric.Fi Incident Analysis
1/23/2024
Concentric.Fi Incident Analysis

Introduction

On 22nd January, Concentric.fi was exploited leading to losses of over $1.85 million. The wallets that conducted the attack have been doxxed as the OKX exploiter. Concentric announced on X that their protocol was attacked due to a targeted social engineering attack leading to the compromise of one of their teams admin wallets. From there the attackers were able to upgrade Concentric vault contracts with a malicious implementation leading to losses in liquidity pools as well as users who had approved Concentric contracts. This attack has pushed the overall losses in January to above $44.6 million.

Summary

On 22 January 2024, Concentric posted a warning on their X account that they had received reports of a security incident.

44e476b7-9926-4485-a616-33cdcb30e4f0

When examining the project’s contracts, CertiK identified a suspicious wallet that was repeatedly minting CONE-1 LP tokens and burning them, which withdrew funds from Concentric liquidity pools. We can see an example of this in the below screenshot.

faa6336c-76c8-4c1e-9a77-d06629f2153c

The Concentric team later announced that the incident was due to a private key compromise of one of their admin wallets, which was used to transfer ownership to 0x3F06 which then upgraded the Concentric liquidity pools to malicious pools controlled by the attacker. This enabled the attacker to mint a large amount of LP tokens and withdraw ERC-20 tokens. The ERC-20 tokens were swapped for ETH and transferred to the following 3 wallets which confirmed a link to the OKX exploiter:

  1. 0xFD681A9aA555391Ef772C53144db8404AEC76030

  2. 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d (Doxxed as OKX Exploiter 2 on Etherscan)

  3. 0x17865c33e40814d691663bC292b2F77000f94c34

Additionally, 0xc62A25462A61f02EBAB35Cd39C5E9651426e760b was able to steal users funds that spending approved on Concentric contracts. The stolen funds were swapped for ETH and transferred to 0x5c0e945fc1c83d8d10e9c6366e2cbc5241532aec totalling $154,406.53 at the time of writing. In total, the losses equate to $1,851,668.89 making it the 9th largest attack this month.

Connections to Previous Incidents

From the malicious wallets that CertiK identified, we can confirm that the Concentric.fi exploiter is linked to two other exploits; the OKX exploit and the UnoRe. The Concentric exploiter transferred funds to wallets doxxed as the OKX exploiter, as well as being funded by a wallet linked to the UnoRe exploit earlier in 2023.

On 13th December OKX announced that the owner wallet of an abandoned OKX DEX market marker contract leading to the loss of approximately $2.7 million. Additionally, 0x5A58D1a81c73Dc5f1d56bA41e413Ee5288c65d7F who funded the Concentric wallet is linked to the UnoRe exploiter.

An overview of the exploit can be found below.

Concentric.fi exploit overview

Attack Flow

  1. The attack started after the compromise of the Concentric Deployer wallet 0xeaf6. The attacker used the access to transfer contract ownership to 0x3F06.

bb069ec2-ddd5-4759-8487-d5b342604dc9

  1. With the new ownership, 0x3F06 was then used to upgrade the Cone pools contracts with a modified version.

d336f8f6-7929-4eb6-9858-d3b706754af5

The new implementation contained code that burned CONE-1 from 0x60d8 and minted it to 0x105f.

25263d5d-3b8d-435b-802e-4497c2f84273

  1. With the new code in place the exploiter could call adminMint() and drain CONE-1 from each of the vaults. They then used the burn() function to swap the CONE-1 for the corresponding vault assets.

Screenshot 2024-01-23 at 14.15.41

  1. The attacker created a second contract which allowed the transfer of assets from users who had approved tokens to the vault as well as the transfer of specified assets from the vault. 0xc62a and 0x3F06 are both controlled by the attacker.

08abfbd8-6a90-4caf-aa52-39969b7af74d

  1. EOA 0x105f swapped assets for 715 ETH which was split into three wallets, including 300 ETH sent to a wallet which is associated to the OKX exploit on 13 December 2023.

245d3391-72d7-4469-84a5-fef0f3f7cc7c

On top of the 715 ETH, EOA 0xc62a sent 65.4 ETH (~$155,503) to EOA 0x5c0E945Fc1c83D8d10E9c6366E2cBC5241532AEc bringing total losses to a little over 780 ETH, approximately $1.85 million.

Conclusion

The attack on Concentric is another example of how traditional social engineering attacks can have such a devastating impact on project’s in the Web3 ecosystem. Whilst we traditionally see phishing and social engineering tactics employed by scammers deploying wallet drainers, the same methods can be used to take over a project. So far in 2024, we have seen $28.9 million lost due to phishing and private key compromises, which represents 63.5% of the overall losses in January. Such incidents also demonstrate the centralization risks that can be present in platforms that if abused can lead to serious losses. A security audit by CertiK highlights Centralization as a major risk which will help you manage risks when interacting with projects.