Cybercrime is on rise in the crypto scene, often costing thousands and millions in damages. One of the recent victims of cybercrime in crypto space is Chainlink Oracle which led to a hefty loss of around 700 ETH. The incident happened last weekend (August 30, 2020) when nine Chainlink Oracle node operators fell prey to a spammer who drained out around $335,000 from operators’ hot wallets in the name of price feed queries.
The launch of the attack
It all started with an apparently valid price feed plea from the attacker to which the node responded readily with a steady flow of gas fees (ETH transaction fees). The spammer successfully conducted the attack capitalizing on operators’ extra gas for minting Chi tokens- that are developed by 1inch.Exchange.
ETH gas prices are gwei denominated. The spammer cashed in on increased fees on network by hiking up gas costs and then by minting the Chi tokens on these escalated levels. Now, normally, these tokens are meant to cover up higher gas costs yet here the spammer sold the tokens for ETH. Then, the spammer went for ETH-based transaction-mixer Tornado Cash to murk the path for ETH transactions.
The 9 operators that were attacked include:
- T-Systems
- Anyblock Analytics
- 01 Node
- ChainLayer
- B-Harvest
- Figment Networks
- LinkPool
- Everstake
- And Chainlink itself
The attacker especially chose those operators that carry larger balances (say 50 ETH).
The aftermath
The attack lasted for around 2 hours during which the node operators could not cater to any more data requests as they were completely drained off of their ETH balances by that time. It took the operators some time to realize that they are under attack as the attack started with a very normal request for price feed. When they noticed a large amount of ETH was getting drained out from their wallets, they initially thought it was due to a sudden gas spike. In fact, they began to refill their wallets immediately. But when the refilled batch started getting drained as well, it triggered a warning bell.
Alarmed, the operators reported to Chainlink immediately on which the Oracle portal patched the security team as fast as possible. A prompt decision was made and Chainlink operators unanimously decided to check the whitelist. In whitelist solution, the operators tend to rank only the most crucial requests that come from most proactive DeFi protocols and cater to their requests only- blocking other non-whitelisted requests.
What would be a permanent solution?
Although whitelisting worked in this case yet it can only serve as a temporary solution in such instances. For a more permanent result, Chainlink would have to find an even plain with the actual consumers of data.
Thankfully, Chainlink has offered assistance and grants to node operators who have been the victims of the attack.
Credit: Source link
