Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

Cryptohack Roundup: GDAC, Yearn Finance, SushiSwap

Also: FTX's 'Egregious' Cybersecurity Failures; Treasury Assesses DeFi Risk
Cryptohack Roundup: GDAC, Yearn Finance, SushiSwap
Image: Shutterstock

Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. In the days between April 7 and April 13, hackers stole $14 million from South Korean crypto exchange GDAC, $11.6 million from Yearn Finance and $3.3 million from SushiSwap. FTX's latest bankruptcy report detailed its "egregious" cybersecurity failures, and the U.S. Department of the Treasury warned DeFi to shape up. Also, Calgary set up a cryptocurrency cybercrime unit, and Euler Finance began the process of compensating hack victims.

See Also: Revolutionizing Cross-Border Transactions with Permissioned DeFi

GDAC

Crypto exchange GDAC on Wednesday said a hacker had drained nearly $14 million from the South Korean company's platform, forcing a two-week pause in transactions. The thief on Sunday morning hacked GDAC's hot wallet to steal 23% of the company's total custodial assets, CEO Seung-hwan Han said on the day of the hack, but did not offer technical details. "All assets currently held by GDAC are fully covered and preserved," he said, adding that law enforcement authorities are involved in the investigations.

Yearn Finance

A hacker exploited a vulnerability in a token issued by decentralized finance protocol Yearn Finance on Thursday to steal about $11.6 million, security firm PeckShield said. The exploit occurred on Aave version 1, an open-source liquidity protocol the company uses. "We need to clarify that the root cause is due to misconfigured yUSDT, not related to Aave," PeckShield said in a follow-up tweet.

SushiSwap

Decentralized crypto exchange SushiSwap suffered a multimillion-dollar hack on Sunday, after a hacker exploited a smart contract bug, security firm Ancilia said. The vulnerable contract aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins. Only users who used the service between March 29 and April 1 were affected, DefiLlama pseudonymous developer 0xngmi said. The hack seems to have resulted in Sifu, a popular crypto advocate, losing ETH worth $3.3 million, PeckShield said.

FTX

A report from FTX replacement CEO John Ray III filed Sunday in the fallen cryptocurrency platform's ongoing bankruptcy case shows the company lacked basic security controls to protect crypto assets. Among its many failures: It lacked a CISO, kept virtually all of customers' assets in internet-accessible hot wallets, stored private keys in plain text, and did not use multi-party computation controls.

"FTX Group grossly deprioritized and ignored cybersecurity controls, a remarkable fact given that, in essence, the FTX Group's entire business - its assets, infrastructure, and intellectual property - consisted of computer code and technology," the report states.

U.S. Department of Treasury Report

The U.S. Treasury Department published a report recommending strengthened regulatory supervision over decentralized finance. DeFi services often do not implement anti-money laundering controls, and cybersecurity tends to be poor, the report says. Regulators should conduct industry outreach to "further explain how applicable regulations apply to DeFi services, in line with previously issued regulations and guidance," it says.

The report is a watershed moment, said Ari Redbord, former Treasury executive and head of government affairs at TRM Labs. "For the first time, [Treasury] says that if you are providing financial services - regardless of whether you are centralized or decentralized - then you likely have requirements under the Bank Secrecy Act," he said.

Calgary's Crypto Investigation Center

Police in Calgary, Canada, on Thursday said they will set up a training center with Chainalysis to assist law enforcement with cryptocurrency-related investigations. Calgarians reported a $13.9 million in financial losses from crypto crimes in 2022 and $3.2 million so far this year. Cryptocurrency scams are "vastly underreported due to the complex nature and investigative limitations," police said.

Euler Finance Update

Euler Finance announced repayment on Wednesday to victims of last month's $197 million flash loan exploit, after the hacker returned the majority of the stolen funds. The company set up a smart contract with all the returnable funds and has put in place a verification mechanism to ensure that the money is returned to the right users and to "confirm that the account holder agrees with the terms and conditions."


About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.