The Fantom Foundation, a leading entity in the decentralized finance (DeFi) landscape, offers a blockchain platform optimized for DeFi and crypto dApps. However, it recently faced a major security breach, resulting in a $7.5M loss.
Over $7M was drained from multiple wallets associated with the Foundation. While initial reports suggested that the Foundation itself was the primary victim, further investigations revealed a different story. The breach predominantly affected an employee of the Fantom Foundation. However, the Foundation did not remain unscathed, acknowledging a direct loss of $550k.
The attackers targeted at least 12 addresses across five different chains: ETH, FTM, OP, BSC, and AVAX.
The attacker's addresses:
0x2f4f1d2c5944dba74e107d1e8e90e7c1475f4001
0x1d93c73d575b81a59ff55958afc38a2344e4f878
0xdadc0421ee1b5426fca3db22f0a94a3bad5a329d
Consolidation address: 0x0b1F29DF74A19C44745862ab018D925501FE9596
While the exact attack vector remains unclear, certain details have come to light. The attack seems to have been a result of a compromised password manager, possibly LastPass. The rapid draining of multiple associated addresses in quick succession lends credence to this theory.
An initial statement from a Fantom Foundation Telegram admin hinted at a "zero-day exploit on Chrome." However, as more details emerged, this explanation appeared less plausible.
This isn't the first time the Fantom Foundation has been under the hacker's lens. Earlier in February 2023, during the launch of a new stablecoin, USP, the protocol suffered a massive blow with hackers stealing over $8.5M through a flash loan attack. Another incident in July 2023 saw the protocol temporarily pausing their pools due to "suspicious activities," which later turned out to involve multiple flash loan attacks.
Projects are starting to become more and more aware of the risks of not appropriately securing and auditing contracts, but this hack shows once again that smart contracts are only a part of a project's attack surface. It seems like, well known Web2 security practices like secure password management have been forgotten. A more holistic security shift needs to happen within the industry, where not only smart contracts are secured, but also wider IT assets, including employee passwords.