Skip to content

How 3 hours of Amazon’s idleness cost cryptocurrency holders $235,000

    How 3 hours of Amazon's idleness cost cryptocurrency holders $235,000

    Amazon recently lost control of the IP addresses it uses to host cloud services and it took more than three hours to regain control, a flaw that allowed hackers to steal $235,000 in cryptocurrency from users of one of the affected customers. according to an analysis.

    The hackers seized control of approximately 256 IP addresses through BGP hijacking, a form of attack that exploits known vulnerabilities in a core Internet protocol. Short for border gateway protocol, BGP is a technical specification that traffic routing organizations, also known as autonomous system networks, use to interact with other ASNs. Despite its critical function in routing large amounts of data around the world in real time, BGP still largely relies on the Internet equivalent of word of mouth for organizations to keep track of which IP addresses rightfully belong to which ASNs.

    A case of mistaken identity

    Last month, autonomous system 209243, which belongs to UK-based network operator Quickhost.uk, suddenly began announcing that its infrastructure was the right path for other ASNs to access what’s known as a /24 block of IP addresses of AS16509, one of at least three ASNs managed by Amazon. The hijacked block included 44.235.216.69, an IP address that hosts cbridge-prod2.celer.network, a subdomain responsible for serving a critical smart contract user interface for the Celer Bridge cryptocurrency exchange.

    On August 17, the attackers used the hijacking to first obtain a TLS certificate for cbridge-prod2.celer.network, as they were able to demonstrate to certificate authority GoGetSSL in Latvia that they had control over the subdomain. Possessing the certificate, the hijackers then host their own smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge cbridge-prod2.celer.network page.

    In all, the malicious contract drained a total of $234,866.65 from 32 accounts, according to this article from Coinbase’s threat intelligence team.

    Coinbase TI Analysis

    Coinbase team members explained:

    The phishing contract is very similar to the official Celer Bridge contract in mimicking many of its characteristics. For any method not explicitly defined in the phishing contract, it implements a proxy structure that forwards calls to the legitimate Celer Bridge contract. The proxy contract is unique for each chain and is configured upon initialization. The command below illustrates the contents of the storage slot responsible for the proxy configuration of the phishing contract:

    Phishing smart contract proxy storage
    enlarge / Phishing smart contract proxy storage

    Coinbase TI Analysis

    The phishing contract steals users’ money in two ways:

    • All tokens approved by phishing victims are flushed using a custom method with a value of 4 bytes 0x9c307de6()
    • The phishing contract takes precedence over the following methods designed to immediately steal a victim’s tokens:
    • send() – used to steal tokens (e.g. USDC)
    • sendNative() — used to steal native assets (e.g. ETH)
    • addLiquidity() – used to steal tokens (eg USDC)
    • addNativeLiquidity() — used to steal native assets (e.g. ETH)

    Below is an example of a reverse engineered snippet that redirects assets to the attacker’s wallet:

    Fragment of smart contract for phishing
    enlarge / Fragment of smart contract for phishing

    Coinbase TI Analysis