In a significant security breach, a crypto whale lost approximately $55.4 million worth of Dai stablecoins due to a phishing attack. The incident, first reported by on-chain analyst ZachXBT, involved the exploitation of a vulnerability that allowed the attacker to access the victim’s externally owned account (EOA) controlling a Maker vault.The attacker utilized a phishing tool known as Inferno Drainer, which lures victims through fake websites or emails that impersonate legitimate exchanges or DeFi protocols.
Key Highlights:
The incident underscores the ongoing security challenges faced by DeFi protocols, with previous reports indicating that the crypto industry has suffered over $1.19 billion in losses year-to-date due to hacks and scams. As the landscape continues to evolve, users are reminded to exercise caution and remain vigilant against phishing attempts and other security threats in the cryptocurrency space.Read more at The Block.
- By gaining access to the user’s EOA, the attacker was able to transfer ownership of the victim’s decentralized service proxy (DSProxy) to a new address, effectively taking control of the Maker vault and its associated assets.Security firm CertiK confirmed that the attacker managed to transfer the ownership of the user’s DSProxy to an address controlled by the attacker. This DSProxy is a smart contract that enables users to execute multiple contract calls in a single transaction.
- Once the attacker gained control of the Maker vault, they set the protocol's owner address to their wallet and minted 55,473,618 Dai stablecoins into it.Blocksec, another security firm, corroborated the details of the attack, noting that the victim likely signed a transaction to change the vault owner, which allowed the attacker to drain the vault. On-chain data suggested that the Maker Vault owner had assigned ownership of the DSProxy to a phishing address during the transaction.