Rob Behnke
October 19th, 2023
In October 2023, a hacker — perhaps feeling the Halloween holiday spirit — targeted the Fantom Foundation. In total, there were over $7 million in losses, the bulk of which was by an employee who was using wallets previously assigned to the Fantom Foundation.
Early reporting of the security incident pointed to the exploitation of a vulnerability in Google Chrome. These reports claim that this was a zero-day vulnerability; however, reports also point to the exploitation of a known heap overflow vulnerability in Chrome that was first discovered and assigned CVE-2023-4863 over a month previously.
The Fantom protocol has acknowledged the security incident and claims that approximately $550K was stolen from the Foundation, making up less than 1% of the Foundation’s overall assets. It also states that the majority of the stolen funds belonged to an employee of the organization, making it a targeted attack. It acknowledges the theory of a zero-day Chrome exploit but states that further investigation into the cause of the incident is ongoing, hinting that this explanation may be incorrect.
In addition to the confusion about the initial exploitation vector, this incident is unusual in that an employee of the Fantom Foundation now owns addresses that were previously controlled by the Fantom Foundation. According to the Foundation, it no longer uses these addresses, and they have since been “reassigned” for personal use.
The process for generating a new address on any blockchain simply involves generating a random private key and deriving a public key and address from it, a process that takes less than a second. Additionally, these private keys should only be known to the owner of the address, a security measure designed to protect against unauthorized use and potential theft.
There is no logical reason to “reassign” an address to an employee. This would create security risks for the employee if the Foundation retained a copy of the address’s private key and it was misused or stolen. Additionally, a private individual using addresses tagged as belonging to the Fantom Foundation — and thus extended a certain amount of trust — is unusual and might create security issues if these addresses are trusted by the Foundation’s contracts or that of its users, partners, etc.
This hack highlights a few key security takeaways:
If the Fantom Foundation hack was enabled by a month-old vulnerability in Google Chrome, it underscores the importance of promptly installing updates and patches.
A hardware wallet — and proper validation of the transactions that it signs — could have prevented the theft by securing the private key and/or preventing the attacker from submitting and tricking the user into signing malicious transactions.
Always keep private keys secret and never accept a “reassigned” address.
To learn more about protecting your blockchain wallets — and the crypto that they hold — against potential attacks, check out our blog on the Top 10 Ways to Keep Your Crypto Wallet Safe From Hackers.