DeFi Project Nexus Mutual Suffers $8.25 Million Attack; Only Founder’s Personal Wallet Affected
DeFi insurance project Nexus Mutual has suffered an attack.
But for the crypto community, the only good thing is that Nexus Mutual founder Hugh Karp’s personal addresses were only affected.
On Monday, the team took to Twitter to share that at 9:40 on Dec. 14 itself, the personal address for the project creator was attacked and drained by a member of the mutual itself.
“Only Hugh’s address was affected in this targeted attack, and there is no subsequent risk to Nexus Mutual or any members,” noted the team.
370,000 NXM worth $8.25 million has been stolen from Hugh’s personal wallet.
As per the initial investigation, this targeted attack was made on Hugh’s hardware wallet by gaining remote access to his computer. By modifying the popular Ethereum wallet MetaMask’s extension, the attacker tricked Hugh into signing a different transaction to transfer the funds to the attacker's address.
“Since on hardware wallets you often can not validate practically what you are actually signing the weakest point to attack is the interface that creates the sign request – e.g., the Dapp,” said Martin Köppelmann, founder of the prediction market platform Gnosis.
As such, one needs to make sure that the private key only signs what the owner intends to, for which multiple signier or sanity checks must be used to separate the transaction request from signing it, advised Köppelmann.
According to the Nexus Mutual team, the attacker completed his KYC earlier this month and then switched the membership to a new address on Dec. 3rd.
“The mutual is not impacted; the pool of funds and all systems are safe. Our investigation is ongoing to identify the attacker and how they operated,” added the team.
Hugh also took to Twitter to urge the attacker to return the stolen NXM to him, and in return, they will drop the investigation and grant them the $300k bounty.
To the attacker. Very nice trick, definitely next level stuff.
You'll have trouble cashing out that much NXM.
If you return the NXM in full, we will drop all investigations and I will grant you a $300k bounty.
— Hugh Karp 🐢 (@HughKarp) December 14, 2020
The project currently has a total value locked (TVL) of about $94 million, and its token NXS is currently trading at $0.226, down 1.91%. The token with a market cap of $15.65 million has a year-to-date performance of about 28%.
Meanwhile, Wrapped Nexus (wNXM), which the attacker used to move the funds, is seeing a bigger drop of over 16% to $16.41.