The attack was caused by an improperly executed deletion of the deprecated IBSV cToken. Its alternatives were already active, at the same price point at the time, allowing unknown bad actors to manipulate pricing and squeeze around $6 million worth of cryptocurrency out of the platform.
According to blockchain security researcher Halborn, due to the unverified smart contracts responsible for the prices of both tokens, it is difficult to conduct a proper analysis of the attack. Also, the smart contract itself was not compromised, only the token itself, which should not have been listed at the same time. Just hours after the exploit, over 1,100 ETH (worth approximately $1.79 million at the time) was sent to TornadoCash.
However, according to Peckshield and Beosin, the rest of the stolen funds appear to be moving again. 2,415 ETH, worth over $3.8 million at the time of writing, was sent to TornadoCash from wallets associated with the attack.
This brings the total amount transferred to TornadoCash to a whopping 3515.4 ETH, currently worth over $5.7 million. The remaining hundreds of thousands are still stashed in the attackers' wallets and may soon be sent to crypto mixers.
Thankfully, there’s a silver lining to this story this is the biggest attack on a cryptocurrency company in January, and it’s a far cry from last year’s Harmony or Ronin attacks. Overall, around $8.8 million worth of cryptocurrency was lost to hacks in January, representing a more than 90% reduction in stolen value compared to January 2022.
Whether this is because developers are starting to take security more seriously or other factors, it's important to realize that cybersecurity is a constant battle -- and developers better stay vigilant if they want to maintain a positive track record.
