Waves is a proof-of-stake blockchain and platform that that aims to be a comprehensive ecosystem for trading. It offers a token issuance system, a core wallet, and a decentralized exchange. It was founded in 2016 in Russia and recently left beta testing after a month of live activity on July 24th.
DNS Phishing
Waves enables decentralized trading by hosting wallets in a manner similar to IDEX. Cryptocurrency and tokens can be withdrawn and deposited for trading, yet the wallet is not owned by the exchange and is instead initiated through a recovery seed, a series of words that essentially function as a master username and password. When the platform left beta, users were prompted to reactivate their accounts by inputting a seed phrase.
It was then quickly discovered that the Waves website was compromised. The bad actor(s) had gained control of the recovery page and attempted to phish (to steal sensitive information by disguising as a trustworthy entity) for users’ seed phrases.
Waves’ official Twitter quickly posted an urgent warning, prompting users to not reactive their accounts until further notice.
At this point in time, no third-part auditor has officially analyzed how the security breach occurred. However, in a statement to Coindesk, Waves’ CEO, Sasha Ivanov, claimed the following story.
“Someone just faked my passport and gave it to support [staff] at the domain company and they changed the password at his request. Then the attacker was able to change the main website.” — Sasha Ivanov, Waves
It’s quickly likely that this social engineering attack was successful due to a lack of Two-Factor Authentication (2FA) on their domain account.
Whatever the case, Sasha Ivanov reported later that day that the security issue was solved and no customer funds were stolen with no further details.
Takeaways
- Teams should actively protect themselves — especially in the crypto world: Exchanges should be aware of potential vulnerabilities and actively address them. This includes preemptive protections, like 2FA and other simple yet effective measures. And this can also mean comprehensive security audits from third-party teams.
- The problem of the seed phrase: As a function of hosting a core wallet, users were asked to enter their wallets’ recovery phrases on the Waves website. This is an example of a centralized point of entry and attack vector that was easily exploited. At The Ocean, we ask users to use their MetaMask, Ledger, or other wallets with our order book. This reduces the risk of phishing attacks from an infrastructural perspective as traders are never asked to enter wallet-related information into our platform.
- Better wallet solutions overall: Seed phrases (a long string of 10+ nonsensical words) are almost impossible to immediately memorize. Users write them on pieces of paper, in Notepad files, or even worse, on the cloud. Yet, they are the only means of account recovery for most wallets. Once you lose it or it’s compromised, your funds are essentially gone! There are some solutions on the way involve the burgeoning field of biometrics (i.e. facial or voice recognition access), but until then, the wider adoption of self-custody is dependent on how wallets improve their UI/UX.
__________________________
Don’t forget to sign up and join our Telegram for launch in just a few weeks!
