More than $2 million stolen from DeFi platform MM.Finance

MM.Finance announced this week that hackers managed to steal $2 million worth of digital assets in a Domain Name System (DNS) attack.

These kinds of attacks involve hackers targeting the availability or stability of a network’s DNS service. The team behind MM.Finance – which calls itself the largest decentralized finance ecosystem on the Cronos blockchain – said the attacker managed to “inject a malicious contract address into the frontend code.” 

“Attacker used a DNS vulnerability to modify the router contract address in our hosted files. Resolving this issue takes precedence above all. We understand that some of you have lost significant funds and are filled with worries and panic,” the company said in a post-mortem on Medium.

Users who interacted with the MM.Finance site starting on May 4 lost funds after performing swaps or adding and removing liquidity. 

“When victims navigated to mm.finance to remove liquidity, the malicious router kicked in and the LPs were withdrawn to the attacker’s address,” the company explained. 

The attacker stole more than $2 million in cryptocurrency before laundering it through Tornado Cash, a service that allows people to disguise the origin of funds. 

The company is setting up a compensation pool for those affected and the team behind the platform said it would be giving up its share of trading fees to cover the losses. The compensation pool will be open for 45 days and the company has set up a system to repay those who lost cryptocurrency. 

They also plan to hire a security company to look into their DNS configurations and will remove two of their service providers from their deployment stack to reduce their potential attack surface, the company said. 

“We take this attack vector seriously, and will ensure to do our best moving forward to eradicate such vectors,” the company added. 

In follow-up messages on Twitter, the company said it traced the stolen funds to the OKX exchange, threatening to call the FBI if the funds were not returned. The CEO of OKX said it is investigating the issue. 

“Unethical as your actions are, we concede that there is a certain mad brilliance behind your design. So here’s the deal, return 90% of the funds you stole and we will let this go, no questions asked. You have 48 hours to return these funds. Straight up, this is a win-win-win for us (time), you(risk and reward) and community(recovery of stolen funds),” MM.Finance wrote on Twitter on Thursday.

“Should you decline, we’ll just sleep less and escalate this, a cost that we at MM are already so very used to. Your move.”

The company did not respond to requests for comment about whether the funds have been returned. 

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.