Crypto Researchers Prevent $10 Million Theft in ERC-1967 Proxy Contracts

Crypto security researchers recently uncovered and neutralized a significant threat that had been silently compromising thousands of smart contracts, potentially preventing over $10 million in cryptocurrency from being stolen. The vulnerability, discovered on Tuesday, involved a backdoor exploit targeting uninitialized ERC-1967 proxy contracts. This exploit allowed attackers to hijack contracts before they were properly set up, injecting malicious implementations that could have been activated at any time.

The discovery was made by Venn Network, a pseudonymous researcher who shared the findings on X. The researcher, Deeberiroz, highlighted that the exploit had been threatening the ecosystem for months. The vulnerability was identified during a 36-hour rescue operation involving several developers, including security researchers Pcaversaccio, Dedaub, and Seal 911. These experts worked together to evaluate affected contracts and secure vulnerable funds.

Or Dadosh, co-founder and president of Venn Network, explained that the attacker had front-run contract deployments, injecting malicious implementations that created a hidden backdoor in thousands of contracts. This backdoor remained undetected and unremovable for months, making malicious activity nearly invisible once the contract was initialized. The security researchers successfully outmaneuvered the attackers by keeping the vulnerability under wraps during the operation, leading to a successful rescue.

Several decentralized finance (DeFi) protocols were able to secure hundreds of thousands in crypto during the operation, acting in time before the attackers could siphon the assets. Dadosh noted that tens of millions of dollars were potentially at risk, and the threat could have grown larger, endangering a significant portion of the total value locked (TVL) held by the involved protocols.

One of the affected protocols was Berachain, whose team responded by pausing the affected contract. The Berachain Foundation recognized the potential vulnerability and paused its incentive claim contract, transferring its funds to a new contract. The foundation assured users that no funds were at risk or lost, and incentives would be claimable again within the next 24 hours as merkles for distribution were recreated.

David Benchimol, a security researcher at Venn Network, suspects that the infamous North Korean hacking group, Lazarus, may have been involved in the attack. Benchimol noted that the attack vector was very sophisticated and deployed on every Ethereum Virtual Machine (EVM) chain. The researcher also pointed out that the attacker was waiting for a bigger target before performing an attack, making it more likely to be from an organized group. However, there is no confirmation that Lazarus was involved in the attack.