EtherDelta’s DNS Hacked, Website Replaced With Hacker’s Duplicate to Steal Funds

On Wednesday, December 20, the decentralized exchange EtherDelta fell victim to a malicious phishing attack on its DNS server. The hacker compromised EtherDelta’s website, rerouting transacted funds to a replica site that replaced the legitimate one for a number of hours.

Decentralized but Still Compromised

At 1:34 p.m. EST, EtherDelta tweeted a message suggesting that its DNS server had been hacked, followed up by a series of tweets suggesting that the original website had been replaced by a doppelganger created by the hacker.

The culprit created a near-replica of the exchange’s website, barring a few technical functions and cosmetic features. According to the tweets, the spoof site included a fake order book but neglected to include a chat box or Twitter feed.  

During the crafty phishing attack, users who interacted with the fraudulent site may have had their funds stolen. Users who deposited or withdrew funds using the imposter site at the time of the attack more than likely sent their funds directly to the hacker’s wallet address.   

The attack ran from approximately 1:30 p.m. to 8:00 p.m. EST, and EtherDelta suspended its service during the raid. After bagging a hefty 308 ETH (approximately US$244,000) and a considerable amount of ERC20 tokens, the hacker split the funds between various wallet addresses around 1:30 a.m. the following day.

It’s important to note that while EtherDelta’s website was breached, the smart contracts it utilizes were not. This means that if you didn’t upload or enter a private key on the fake site at the time of the attack, your funds could not be touched. EtherDelta users have the option of managing their funds with a Ledger Nano S, with the MEW browser wallet, or by manually inputting an account’s private keys.

The EtherDelta team made it clear in Thursday morning’s tweet that if you were using a Ledger Nano S or MEW wallet at the time of the phishing attack, your funds are safe. They also clarified that deposits on the exchange can only be accessed using an individual’s private key. So long as you never uploaded your key to the fake site, your funds were safe in the exchange’s smart contracts.

Could’ve Been Worse

2017 has been hard on exchanges. It seems like every time we turn around, a new exchange has been hit, more funds have been stolen, and the collateral damage leaves individual coffers bleeding.

The phishing attack on EtherDelta is unfortunate, but thanks to the exchange’s internal security features, it isn’t devastating. The site definitely bit the bullet, but unlike Youbit in the fallout of its own hacking, it didn’t bite the dust. EtherDelta’s decentralized nature and the smart contracts it employs are largely to thank for minimizing the damage.

With a trusted, centralized exchange like Youbit, a hacker need only compromise the exchange’s server to access its hot wallet. This hot wallet holds reserves of the funds the exchange manages for its users. Like a bank with fiat, you trust the exchange to hold your keys for you as credit, and when you wish to withdraw your assets, it debits your funds by relinquishing the keys. The danger of this system is that if a hacker compromises the exchange, he or she has access to any and all funds.

With EtherDelta, however, the exchange doesn’t hold any keys; the users do, managing them using Ethereum-powered smart contracts. This is why the hacker had to make a fake website. There’s no reserve to tap into, so unless an individual revealed his or her private keys on the hacker’s copycat site, their funds could not be stolen. Also, it was helpful that the exchange runs on a series of nodes and that there is no central access point. Essentially, this insulated the exchange and its smart contracts from being compromised, and it’s the reason the hacker could only execute a phishing attack from the website’s DNS server.

As of yesterday morning, EtherDelta’s site is back up and running.