Explained: The EigenLayer Investor Hack (October 2024)

In October 2024, an investor transferring their tokens into custody on EigenLayer was the victim of a hack. The attacker tricked the investor into sending the tokens to the wrong address, resulting in an estimated $5.7 million in losses for the user.

Inside the Attack

When making an on-chain transfer, it’s vitally important to send it to the correct address, just like it’s important to get the account number correct for a traditional wire transfer. However, unlike the traditional financial system, blockchain’s immutable ledgers don’t allow funds to be clawed back in the event of a mistake.

Cybercriminals take advantage of this fact by trying to redirect payments in various ways. One common example is address poisoning, where an attacker will send transactions to an account from an address similar to a trusted one, hoping that the user will copy-paste the malicious address from their transaction history when performing a transaction. 

Another threat is clipper malware, which monitors the system clipboard for data resembling blockchain addresses and replaces it with the attacker’s address before the user pastes it into a transaction.

In this case, the attacker took advantage of EigenLayer’s use of email to determine where to send EIGEN tokens to its investors. The attacker gained access to one of these email threads and instructed the EigenLayer team to send 1,673,645 EIGEN tokens to the attacker’s address. 

They then swapped these tokens via MetaMask and converted them to stablecoins that were sent to centralized exchanges (CEXs). After discovering the incident, the EigenLayer team began working with these exchanges and law enforcement to freeze the stolen funds.

Lessons Learned from the Attack

This incident demonstrates the importance of having a strong security strategy in all aspects of an organization’s operations. Asking investors via email for the addresses to send their tokens makes email security a core component of EigenLayer’s threat model. Both the company and its investors needed to have robust email security in place to make this secure. Otherwise, an attacker gaining access to either email account could hijack the conversation, as demonstrated in this attack.

When performing high-value transactions — like transfers of $5.7 million worth of tokens — it’s vital to validate that addresses are correct before performing the transfer. A best practice is to perform out-of-band confirmation, such as checking with the other party via SMS, a phone call, or a communication app like Slack. While it’s possible that a sufficiently motivated attacker could have access to these tools as well, this increases the complexity of the attack.