Today, a DPRK state-affiliated group access to one of our developer’s private keys
Contents
Today at approximately 12:05 UTC, a DPRK state-affiliated group known for many hacks in Web3 gained access to one of our developer’s private keys. Using these, they were able to mint a large amount of SFUND tokens through a bridge contract that had previously passed audit.
The OFT contract was compromised as a result, allowing the attacker to modify the contract settings and mint unauthorized tokens on Avalanche.
This contract should not have been able to mint these tokens without any token being bridged. We used one of the most trusted and experienced auditors in the world to review these contracts and were assured that they were secure contracts that passed audits. We will be in touch with our auditors and security experts to review the security of all of our other infrastructure.
These tokens were bridged to Ethereum, Arbitrum, and Base, where the attacker drained available liquidity pools, and subsequently …
The OFT contract was compromised as a result, allowing the attacker to modify the contract settings and mint unauthorized tokens on Avalanche.
This contract should not have been able to mint these tokens without any token being bridged. We used one of the most trusted and experienced auditors in the world to review these contracts and were assured that they were secure contracts that passed audits. We will be in touch with our auditors and security experts to review the security of all of our other infrastructure.
These tokens were bridged to Ethereum, Arbitrum, and Base, where the attacker drained available liquidity pools, and subsequently …