On Wednesday, December 20, the decentralizedexchange EtherDelta fell victim to a malicious phishing attack on its DNS server. The hacker compromised EtherDelta’s website, rerouting transacted funds to a replica site that replaced the legitimate one for a number of hours.
Decentralized but Still Compromised
At 1:34 p.m. EST, EtherDelta tweeted a message suggesting that its DNS server had been hacked, followed up by a series of tweets suggesting that the original website had been replaced by a doppelganger created by the hacker.
Dear users, we have reason to believe that there had been malicious attacks that temporarily gained access to @etherdeltahttps://t.co/NnqU5Er4rj DNS server. We are investigating this issue right now – in the meantime please DONOT use the current site.
— EtherDelta (@etherdelta) December 20, 2017
The culprit created a near-replica of the exchange’s website, barring a few technical functions and cosmetic features. According to the tweets, the spoof site included a fake order book but neglected to include a chat box or Twitterfeed.
During the crafty phishing attack, users who interacted with the fraudulent site may have had their fundsstolen. Users who deposited or withdrew funds using the imposter site at the time of the attack more than likely sent their funds directly to the hacker’s walletaddress.
The attack ran from approximately 1:30 p.m. to 8:00 p.m. EST, and EtherDelta suspended its service during the raid. After bagging a hefty 308 ETH (approximately US$244,000) and a considerable amount of ERC20 tokens, the hacker split the funds between variouswallet addresses around 1:30 a.m. the following day.
It’s important to note that while EtherDelta’s website was breached, the smart contracts it utilizes were not. This means that if you didn’t upload or enter a private key on the fake site at the time of the attack, your funds could not be touched. EtherDelta users have the option of managing their funds with a Ledger Nano S, with the MEW browserwallet, or by manually inputting an account’s private keys.
The EtherDelta team made it clear in Thursday morning’s tweet that if you were using a Ledger Nano S or MEW wallet at the time of the phishing attack, your funds are safe. They also clarified that deposits on the exchange can only be accessed using an individual’s private key. So long as you never uploaded your key to the fake site, your funds were safe in the exchange’s smart contracts.
*IMPORTANT* Also note deposits can only be accessed through user‘s individual private key via the EtherDelta contract. If you had *NEVER* imported your key on the imposer’s phishing site, your deposit should be safe.
— EtherDelta (@etherdelta) December 21, 2017
Could’ve Been Worse
The phishing attack on EtherDelta is unfortunate, but thanks to the exchange’s internalsecurity features, it isn’t devastating. The site definitely bit the bullet, but unlike Youbit in the fallout of its own hacking, it didn’t bite the dust. EtherDelta’s decentralized nature and the smart contracts it employs are largely to thank for minimizing the damage.
With a trusted, centralized exchange like Youbit, a hacker need only compromise the exchange’s server to access its hot wallet. This hot wallet holds reserves of the funds the exchange manages for its users. Like a bank with fiat, you trust the exchange to hold your keys for you as credit, and when you wish to withdraw your assets, it debits your funds by relinquishing the keys. The danger of this system is that if a hacker compromises the exchange, he or she has access to any and all funds.
With EtherDelta, however, the exchange doesn’t hold any keys; the users do, managing them using Ethereum-powered smart contracts. This is why the hacker had to make a fake website. There’s no reserve to tap into, so unless an individual revealed his or her private keys on the hacker’s copycat site, their funds could not be stolen. Also, it was helpful that the exchange runs on a series of nodes and that there is no centralaccesspoint. Essentially, this insulated the exchange and its smart contracts from being compromised, and it’s the reason the hacker could only execute a phishing attack from the website’s DNS server.