DNS Hi-Jacking Post Mortem & Compensation

MMFinance
3 min readMay 4, 2022

--

Dear Burrow,

Issue

MM.finance site was the subject of a DNS attack earlier where an attacker managed to inject a malicious contract address into the frontend code. Attacker used a DNS vulnerability to modify the router contract address in our hosted files.

Resolving this issue takes precedence above all. We understand that some of you have lost significant funds and are filled with worries and panic. That being said, at this juncture, the best thing we can do for all of us is to drop the emotions as much as possible, and work together through this hurdle.

This resulted in users who interacted with our MM.Finance site which started from 4th May 07:28 PM UTC to lose funds upon performing the following actions:

  • Swaps
  • Add liquidity
  • Remove liquidity

When victims navigated to mm.finance to remove liquidity, the malicious router kicked in and the LPs were withdrawn to attacker’s address.

Attacker’s address: https://cronoscan.com/address/0xb3065fe2125c413e973829108f23e872e1db9a6b

Approximately $2,000,000 USD+ worth of Digital Assets has been compromised and bridged over to ethereum network via multichain followed by laundered by Tornado Cash.

Resolution

Our team currently consists of cyber-security expertise, whom are monitoring the sites around the clock. This is also why we have an immediate response,to inform our beloved community members about this hijack attempt and resolve this attack.

Going forward, we will be bringing in other security firms to look into DNS configurations from the service provider end to prevent attacks of similar nature.

We will also be removing 2 service providers from our deployment stack, this will reduce the attack vectors significantly.

This DNS attack has already occurred and our consequent actions will now nullify potential follow up attempts from this attacker. In other words, apart from the price action that came from the selling of our tokens from the malicious wallet, there should NOT be any other consequential impact on our ecosystem coins.

Most importantly, All smart contracts are safe, and funds of all users are SAFU. This means that all MM Ecosystem tokens are not affected. You do not need to panic with regard to the tokens.

When performing a swap, make sure to do the following:

  • Perform a hard refresh of the site (CTRL-SHIFT-R or CMD-SHIFT-R)
  • Make sure that when you are performing swaps, you see a confirmation dialog that shows our router address as shown in the image above: 0x145677FC4d9b8F19B5D56d1820c48e0443049a30
  • For extra safety, add our router contract to your address book so that you will be certain that this is indeed the correct router.

Compensation

Our team is sorry that this happened, and we will do our best to make sure that funds are restored to those who lost it.

On our end, we will setup a compensation pool for those that are affected.

For those whose funds was unfortunately stolen by the attack, the team will be executing this compensation plan: Our team will forsake our dev share’s of trading fees and purchase MUSD with all these trading fees. We will then place all MUSD into a compensation pool to allow users to claim. A snapshot will be done shortly and the amount in USD which you have lost will be tabulated so you can be fairly compensated. Your wallet addresses will be added into the compensation pool. This compensation pool will run for 45 days.

Conclusion

We take this attack vector seriously, and will ensure to do our best moving forward to eradicate such vectors. Also, we hope that this compensation package is a welcome one, as this package does not inflate circulating supply of MM ecosystem tokens, but that it will increase adoption of the MUSD token. In turn, these MUSD tokens can potentially find their way back into the different MM ecosystem tokens.

Come what may, it will take much more than this to throw a wedge in our Mad Adventure.

The Madness resumes.

--

--