Hacker Uses Malicious Smart Contract to Trick EtherDelta Users

EtherDelta is quickly becoming one of the go-to solutions when it comes to exchanging ERC20 tokens. In fact, there is no token that can’t theoretically be traded on this platform. Unfortunately, the protocol was targeted by hackers a few days ago, in the form of a malicious code injection. Thousands of dollars worth of cryptocurrency was stolen in the process. This attack vector has been fixed already, which is a good sign.

EtherDelta “Hack” is Pretty Disconcerting

No one will be surprised to learn EtherDelta has become one of the more popular ERC20 trading platforms in the world today. Most major exchanges hardly list any ERC20 tokens these days, although the more prominent ones can be found eventually if one has enough patience. For those users who can’t be bothered to wait, however, there is EtherDelta. It is a convenient solution which provides quite a few liquid markets these days.

What makes EtherDelta so appealing is how the entire “exchange” is one smart contract. This is a good example of how powerful such smart contracts can be and how they can be used for many different purposes. This clever use of smart contract technology removes the need for centralized servers. In fact, this is a true decentralized application, of which we can only hope to see more moving forward. That doesn’t mean EtherDelta is completely safe from hacks, however.

It seems someone successfully injected malicious code into the EtherDelta “project”. More specifically, an unknown assailant started distributing a link to an unlisted EtherDelta token to cryptocurrency enthusiasts all over the world. Somehow, this link also made its way to the official EtherDelta chat room, which made it appear all the more legitimate. In reality, the URL linked to a malicious smart contract deployed by the attacker. The contract is a JavaScript code which, when executed, gives the assailant full access to data on the user’s session on EtherDelta.

To put this into normal language, the smart contract allowed the attacker to read the private keys belonging to users’ EtherDelta wallets from the browser session directly. Said private keys were then sent to a PHP script, which allowed the hacker to successfully take over the wallets in question and empty account balances with relative ease. Most victims didn’t even realize the attack was taking place, considering the EtherDelta interface runs a lot of JavaScript code already. Plus, the wallets used to collect user funds are different from the information contained in the contract itself.

Although it is unclear exactly how much money was stolen, it appears several thousands of dollars worth of cryptocurrency is now in the hands of an unknown assailant. All of this goes to show cryptocurrency users should never trust custom token URLs related to EtherDelta or any other platform providing any functionality. The EtherDelta team has ensured such exploits can no longer be performed in the future, which is a positive turn of events. This does mean there is no trustless exchange model in existence right now, though, which is not entirely surprising.

According to Christian Montoya, there is a lot more to this JavaScript code than originally assumed. Do keep in mind the official investigation is still ongoing and a lot of relavent information has yet to be revealed. It is not the first time a hacker has successfully stolen ERC20 funds, mind you, but it is the first time someone did so using EtherDelta URLs. Thankfully, it will also be the last time, but rest assured criminals will come up with new tricks before long.