Categories: CryptoNews

Hacker Uses Malicious Smart Contract to Trick EtherDelta Users

EtherDelta is quickly becoming one of the go-to solutions when it comes to exchanging ERC20 tokens. In fact, there is no token that can’t theoretically be traded on this platform. Unfortunately, the protocol was targeted by hackers a few days ago, in the form of a malicious code injection. Thousands of dollars worth of cryptocurrency was stolen in the process. This attack vector has been fixed already, which is a good sign.

EtherDelta “Hack” is Pretty Disconcerting

No one will be surprised to learn EtherDelta has become one of the more popular ERC20 trading platforms in the world today. Most major exchanges hardly list any ERC20 tokens these days, although the more prominent ones can be found eventually if one has enough patience. For those users who can’t be bothered to wait, however, there is EtherDelta. It is a convenient solution which provides quite a few liquid markets these days.

What makes EtherDelta so appealing is how the entire “exchange” is one smart contract. This is a good example of how powerful such smart contracts can be and how they can be used for many different purposes. This clever use of smart contract technology removes the need for centralized servers. In fact, this is a true decentralized application, of which we can only hope to see more moving forward. That doesn’t mean EtherDelta is completely safe from hacks, however.

It seems someone successfully injected malicious code into the EtherDelta “project”. More specifically, an unknown assailant started distributing a link to an unlisted EtherDelta token to cryptocurrency enthusiasts all over the world. Somehow, this link also made its way to the official EtherDelta chat room, which made it appear all the more legitimate. In reality, the URL linked to a malicious smart contract deployed by the attacker. The contract is a JavaScript code which, when executed, gives the assailant full access to data on the user’s session on EtherDelta.

Related Post

To put this into normal language, the smart contract allowed the attacker to read the private keys belonging to users’ EtherDelta wallets from the browser session directly. Said private keys were then sent to a PHP script, which allowed the hacker to successfully take over the wallets in question and empty account balances with relative ease. Most victims didn’t even realize the attack was taking place, considering the EtherDelta interface runs a lot of JavaScript code already. Plus, the wallets used to collect user funds are different from the information contained in the contract itself.

Although it is unclear exactly how much money was stolen, it appears several thousands of dollars worth of cryptocurrency is now in the hands of an unknown assailant. All of this goes to show cryptocurrency users should never trust custom token URLs related to EtherDelta or any other platform providing any functionality. The EtherDelta team has ensured such exploits can no longer be performed in the future, which is a positive turn of events. This does mean there is no trustless exchange model in existence right now, though, which is not entirely surprising.

According to Christian Montoya, there is a lot more to this JavaScript code than originally assumed. Do keep in mind the official investigation is still ongoing and a lot of relavent information has yet to be revealed. It is not the first time a hacker has successfully stolen ERC20 funds, mind you, but it is the first time someone did so using EtherDelta URLs. Thankfully, it will also be the last time, but rest assured criminals will come up with new tricks before long.

JP Buntinx

JP Buntinx is a FinTech and Bitcoin enthusiast living in Belgium. His passion for finance and technology made him one of the world's leading freelance Bitcoin writers, and he aims to achieve the same level of respect in the FinTech sector.

Share
Published by
JP Buntinx

Recent Posts

Cheems Surge On BSC Network: A Rising Star With Growing Market Value

The Cheems token on the Binance Smart Chain (BSC) is gaining significant momentum, surging by…

5 hours ago

Lester Token Crashes 40% Following Official Announcement

The value of $LESTER plummeted by 40% in the past 24 hours, leaving its market…

5 hours ago

From $30K To Millions: The Wild Journey Of $Quant And Xiaohaige’s Memecoin Stunts

In a bizarre turn of events, a young live-streamer known as Xiaohaige created the memecoin…

5 hours ago

Whale “convexcuck.eth” Makes Bold $CVX Move, Nets Significant Profit Amid Price Surge

The crypto whale known as "convexcuck.eth" has made waves in the DeFi world, spending $2…

5 hours ago

$ELIZA Token Launch Marred By Insider Trading Allegations

The launch of $ELIZA, a token introduced by Andreessen Horowitz (a16z) partner @shawmakesmagic, has sparked…

5 hours ago

Cardano’s Rally Highlights Diverging Moves Among Investors

Cardano ($ADA) has been making waves in the crypto market, breaking away from the altcoin…

5 hours ago