How 3 hours of Amazon’s idleness cost cryptocurrency holders $235,000
Amazon recently lost control of the IP addresses it uses to host cloud services and it took more than three hours to regain control, a flaw that allowed hackers to steal $235,000 in cryptocurrency from users of one of the affected customers. according to an analysis.
The hackers seized control of approximately 256 IP addresses through BGP hijacking, a form of attack that exploits known vulnerabilities in a core Internet protocol. Short for border gateway protocol, BGP is a technical specification that traffic routing organizations, also known as autonomous system networks, use to interact with other ASNs. Despite its critical function in routing large amounts of data around the world in real time, BGP still largely relies on the Internet equivalent of word of mouth for organizations to keep track of which IP addresses rightfully belong to which ASNs.
A case of mistaken identity
Last month, autonomous system 209243, which belongs to UK-based network operator Quickhost.uk, suddenly began announcing that its infrastructure was the right path for other ASNs to access what’s known as a /24 block of IP addresses of AS16509, one of at least three ASNs managed by Amazon. The hijacked block included 44.235.216.69, an IP address that hosts cbridge-prod2.celer.network, a subdomain responsible for serving a critical smart contract user interface for the Celer Bridge cryptocurrency exchange.
On August 17, the attackers used the hijacking to first obtain a TLS certificate for cbridge-prod2.celer.network, as they were able to demonstrate to certificate authority GoGetSSL in Latvia that they had control over the subdomain. Possessing the certificate, the hijackers then host their own smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge cbridge-prod2.celer.network page.
In all, the malicious contract drained a total of $234,866.65 from 32 accounts, according to this article from Coinbase’s threat intelligence team.
Coinbase TI Analysis
Coinbase team members explained:
The phishing contract is very similar to the official Celer Bridge contract in mimicking many of its characteristics. For any method not explicitly defined in the phishing contract, it implements a proxy structure that forwards calls to the legitimate Celer Bridge contract. The proxy contract is unique for each chain and is configured upon initialization. The command below illustrates the contents of the storage slot responsible for the proxy configuration of the phishing contract:
enlarge / Phishing smart contract proxy storage
Coinbase TI Analysis
The phishing contract steals users’ money in two ways:
All tokens approved by phishing victims are flushed using a custom method with a value of 4 bytes 0x9c307de6()
The phishing contract takes precedence over the following methods designed to immediately steal a victim’s tokens:
send() – used to steal tokens (e.g. USDC)
sendNative() — used to steal native assets (e.g. ETH)
addLiquidity() – used to steal tokens (eg USDC)
addNativeLiquidity() — used to steal native assets (e.g. ETH)
Below is an example of a reverse engineered snippet that redirects assets to the attacker’s wallet:
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
