a joint report X-explore and WuBlockchain have revealed that recent API bot attacks against FTX and 3Commas are having an even bigger impact than first thought.
The October 21st attack on FTX leveraged 3Commas technology and a phishing scam to gain control of multiple users’ API keys.
API key phishing exploit
Once the keys were obtained, the attackers were able to exploit specific trading pairs to steal funds. According to CEO Sam Bankman-Fried, FTX issued a statement offering a “one-time” refund to affected users. However, according to reports, the exploit has been found to run on both Binance US and Bittrex exchanges.
“X-explore discovered that the FTX&3commas API theft attackers were also attacking. binance usa When Bittrex exchange, steal 1053ETH When 301ETH Respectively. at present, The attack on Bittrex is still ongoing.“
how the exploit actually works
The exploit in question used a small number of trading pairs to reverse trade against compromised accounts whose API keys were stolen.
Stolen API keys often do not allow users to withdraw funds from their accounts, but allow attacks to transact on their behalf. , an attacker may be able to withdraw funds. However, in this case, the blame could lie with the user who set up the API key without basic security measures.
Regarding this ongoing exploit, instead of withdrawing funds directly, the attackers used low-volume trading pairs to siphon money into accounts using low-order sales books. If the order book has few entries, the price of the attack can be manipulated to obtain tokens at below-market rates before exchanging them for another cryptocurrency.
Attackers are robbed of fees and funds to other legitimate traders, but this is not a major concern as they are trading in other people’s cryptocurrencies.
Further affected exchanges
According to reports by X-explore and WuBlockchain, 1053ETH was stolen from Binance US between October 13th and October 17th. It was also noted that the attacker likely used his SYS-USD trading pair with an average trading volume of just $2 million.
A similar attack took place on Bittrex, stealing a total of 301 ETH between October 23rd and October 24th. The report claimed that he is likely to target the NXT-BTC trading pair, which has the second largest spot trading volume on Bittrex. In the days before the exploit, the amount of NXT-BTC was much smaller and considered suspicious.
X-Explore comments on events
In a summary of the report, X-explore says its analysis reveals “new theft methods” within the crypto space. It highlights three key areas to review to reduce the likelihood of similar exploits in the future. Fundamental Security, Spot Token Security, and Transaction Security were selected as areas to address.
Regarding basic security, X-explore argued that exchanges should “design more secure product logic to prevent phishing attacks from harming users.” However, given that users appear to have at least a basic level of security with their API keys (no direct withdrawn funds reported), establishing what else can be done here is difficult.
For API keys to work as intended in systems such as 3commas, no additional human intervention is required for each transaction. 3commas allows users to take advantage of high frequency automated trading strategies. Once set up, the strategy will automatically execute based on a set of defined criteria. Solutions to improve security will therefore prove challenging for exchanges in this aspect.
However, fighting and dealing with phishing attacks as an attack vector in itself is something that exchanges can revisit. Some deploy a secret code that users can check to make sure the message is genuine. Users can ignore and report emails that do not contain his secret code, as long as the exchange account is not hijacked as well.
X-explore determined that the current bear market has opened up this attack vector, so the low volume of some spot trading pairs is definitely a vulnerability that needs to be addressed.
“In order to provide users with more trading options, major exchanges have issued a large number of tokens. did not delist them.”
The final point in the report’s X-explore relates to transaction security. X-explore highlighted that the exploited trading pair on FTX saw a “1,000x increase in trading volume.” However, it does not recommend any action that might be taken if an abnormally high volume is recorded.