December 7, 2022

$4.4 million stolen in attack on blockchain infrastructure Meter

Blockchain infrastructure company Meter said $4.4 million was stolen during a cyberattack on the platform that started at around 9 am ET on Saturday morning.

The company said it manages an infrastructure that allows smart contracts to scale and travel through heterogeneous blockchain networks. The Meter network, as well as the Moonriver network, were affected by the hack. 

Blockchain research company PeckShield confirmed that 1391 ETH and 2.74 BTC were stolen during the incident. 

Around 2 pm ET on Saturday, the company said it was hacked and urged users not to trade unbacked meterBNB circulating on Moonriver. 

Also: $324 million stolen from blockchain platform Wormhole

“We have identified the issue: Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience. However, the contract did not block direct interaction of the wrapped ERC20 tokens for the native gas token and did not properly transfer and verify the correct number of WETH transferred from the callers’ address. We are working on compensating funds to all affected users,” the company explained. 

By 6pm, Meter wrote that it stopped all bridge transactions and discovered that the issue related to a bug “introduced in the automatic wrap and wrap of native tokens like BNB and ETH extended by the Meter team.”

According to Meter, its extended code “had a wrong trust assumption” that let the hacker fake BNB and ETH transfers by “calling the underlying ERC20 deposit function.” 

They are working with authorities and said they found “some early traces of the hacker,” urging the culprit to return the stolen money. 

Compensation plans are allegedly being created for the users who held WETH and BNB as well as the “liquidity providers.” 

“We urge all the liquidity providers that provide liquidity involving WETH and BNB to remove liquidity from the pool and wait for an additional announcement from the Meter team. Please try to avoid trading in these pairs as well,” the company explained. 

On Wednesday, $324 million was stolen through the popular decentralized cross-chain message-passing protocol Wormhole. Researchers found evidence of an 80,000 ETH transfer from Wormhole as well as another 40,000 of ETH being sold by the hacker on Solana. 

They have offered $10 million to the hacker for the return of the funds and offered the same amount to anyone who can provide information “leading to the arrest and conviction of those responsible for the hack.”

Just five days before the Wormhole incident, DeFi protocol Qubit Finance took to Twitter to beg hackers to return more than $80 million that was stolen from them. 

The recent hacks continue a run of attacks on DeFi and blockchain platforms that have occurred over the last year. Chainalysis said at least $2.2 billion was outright stolen from DeFi protocols in 2021. Poly Network saw $611 million stolen from their platform in August, while Bitmart lost $196 million in early December.


https://www.zdnet.com/article/4-4-million-stolen-in-attack-on-blockchain-infrastructure-meter/