MM.Finance, a DeFi platform, was robbed of more than $2 million

In a Domain Name System (DNS) attack, hackers managed to steal $2 million worth of digital assets, according to MM.Finance.

“Attacker changed the router contract address in our hosted files via a DNS vulnerability.” This problem must be resolved first and foremost. In a Medium post-mortem, the business claimed, “We understand that some of you have lost considerable sums and are filled with anxieties and despair.”

Hackers target the availability or stability of a network’s DNS service in these types of attacks. The attacker was able to “inject a malicious contract address into the frontend code,” according to the team behind MM.Finance, which bills itself as the world’s largest decentralised finance ecosystem on the Cronos blockchain.

Users who interacted with the MM.Finance site starting on May 4 lost funds after performing swaps or adding and removing liquidity.

The attacker stole more than $2 million in cryptocurrency before laundering it through Tornado Cash, a service that allows people to disguise the origin of funds.

“When victims navigated to mm.finance to remove liquidity, the malicious router kicked in and the LPs were withdrawn to the attacker’s address,” the company explained.

The company is setting up a compensation pool for those affected and the team behind the platform said it would be giving up its share of trading fees to cover the losses. The compensation pool will be open for 45 days and the company has set up a system to repay those who lost cryptocurrency.

They also plan to hire a security company to look into their DNS configurations and will remove two of their service providers from their deployment stack to reduce their potential attack surface, the company said.

“We take this attack vector seriously, and will ensure to do our best moving forward to eradicate such vectors,” the company added. In follow-up messages on Twitter, the company said it traced the stolen funds to the OKX exchange, threatening to call the FBI if the funds were not returned. The CEO of OKX said it is investigating the issue.

“Unethical as your actions are, we concede that there is a certain mad brilliance behind your design. So here’s the deal, return 90% of the funds you stole and we will let this go, no questions asked. You have 48 hours to return these funds. Straight up, this is a win-win-win for us (time), you(risk and reward) and community(recovery of stolen funds),” MM.Finance wrote on Twitter on Thursday. “Should you decline, we’ll just sleep less and escalate this, a cost that we at MM are already so very used to. Your move.”

The company did not respond to requests for comment about whether the funds have been returned.

News Summary:

• MM.Finance, a DeFi platform, was robbed of more than $2 million
• Check all news and articles from the latest Business news updates.