Crypto Whale Sinks: $55.47M Phished Away from MakerDAO Vault

Summary and Highlights

On August 20th, 2024, a sophisticated phishing attack resulted in the theft of 55.47M DAI from a crypto whale’s wallet. The attack stemmed from an accidental signing of a malicious transaction, leading to the unauthorized transfer of control over the whale’s Maker Vault. The attacker altered the ownership of the DSProxy contract, redirecting the funds to their own wallet. Despite the whale’s attempts to recover the assets, the ownership had already been transferred, and the funds were quickly moved and swapped for 10,625 ETH.

Relevant Addresses and Transactions:

• Victim Address: 0xf2B889437F243396b29E829908b5d8ebE2e13048

• Phishing Address: 0x0000db5c8B030ae20308ac975898E09741e70000

• Attacker's Withdrawal Address: 0x5D4b2A02c59197eB2cAe95A6Df9fE27af60459d4

• DSProxy Contract: 0x2129F8a9b6C3092a600Da82Ce859B7A9a69983E4

• Tx Hash: 0xf70042bf3ae7c22f0680f8afa078c38989ed475dfbe5c8d8f30a50d4d2f45dc4

How did this Phishing Attack happen?

The phishing attack exploited a minor oversight by the victim- signing an unknown transaction. This oversight granted the attacker the ability to change the ownership of the victim's DSProxy contract. The attacker then redirected the control to another address, which was used to funnel the 55.47M DAI and subsequently swap the stolen DAI for ETH using Cowswap.

Decoding Transcations

On delving deeper and decoding the transactions with Blockscope's Transaction Decoder, we got to observe how the ownership of the DSProxy contract changed and then how attacker drained all the funds.

1. Changing the Ownership- 1:40 PM EST on 20th August, 2024

At 1:40 PM EST on 20th August, 2024, the attacker executed transaction "0xb721c8d603d5cbac826d 804b04fb4662952afe91af15cf2aa603d002d3410b87", successfully transferring ownership of the victim’s DSProxy contract to a phishing address. This ownership change was a critical step in taking control of the victim's assets.

Later, at 5:34 PM EST, the victim attempted to execute a transaction on the DSProxy contract, but it failed since the ownership had already been transferred. This is confirmed by transaction "0x8ca26c07a33da122a145bbb28343f2b02fa02b3b4d4cba2cd82607207fa5dce6".

At 7:05 PM EST, the attacker further solidified control by changing the contract ownership once more, this time directing it to their designated withdrawal address. This set the stage for the eventual theft of the funds. Transaction "0x28054acca764c58157e1e5779e5e6d1c9c858a7508b189655d370a82e2a0e 07b" reflects this final ownership change.

2. Draining Funds - 7:33 PM EST on August 20, 2024

Blockscope’s Transaction Decoder flagged the critical transaction "0xf70042bf3ae7c22f0680 f8afa078c38989ed475dfbe5c8d8f30a50d4d2f45dc4", which occurred at 7:33 PM EST, just 28 minutes after the final ownership change. This transaction allowed the attacker’s address to execute the DSProxy contract and transfer 55.47 million DAI.

The flow of this key transaction is detailed below, which led to minting and withdrawal of 55.47M DAI.

The rapid sequence of events ensured that the attacker gained full access to the victim’s funds, allowing them to seamlessly mint and withdraw the DAI.

Tracing Stolen Funds

Our team meticulously visualized the flow of funds using Blockscope's Tracer. The DAI from the Maker Vault was funneled into the attacker’s wallet, followed by a conversion through Cow Swap.

Part 1: Funds Movement to Cowswap

The stolen DAI was converted to ETH through Cow Swap. The funds were initially channeled into the attacker’s wallet and then dispersed across multiple addresses.

Part 2: Post Cowswap

After the DAI was converted to ETH on Cow Swap, the attacker distributed the funds across several addresses.

Interestingly, one address labeled "Post Cow Swap Attacker Address" (0x1489d90a4f2bed2e1f2bed2e1f9503d416ab0aae13410b39 ) is still holding Eth worth $15,946,133.06 USD. Additional addresses holding significant amounts of ETH are listed below in later sections.

Associated Addresses in the Attack

A comprehensive list of associated addresses and their connections has been identified using Blockscope's Cohort Analyzer. This helps visualize the network of addresses involved in the attack and to determine the possible association between various addresses.

List of Associated Addresses

The table below demonstrates all the major addresses we found and labelled during the investigation of this Phishing Attack.

Monitoring and Future Actions

Blockscope’s Watchtowers are actively monitoring the identified attacker addresses mentioned above. Our team is also tracking the Post-Cow Swap Attacker Address and all the other holders, ensuring any further movement is detected in real-time.

Notable Observations

• 1Inch Aggregation: Router V5 was also utilized alongside Cow Swap to obfuscate the funds.

• Communications between the attacker, the victim, and a potentially related address indicate the possible involvement of a bounty hunter. This intermediary may be attempting to mediate or recover the stolen funds.

Conclusion

This incident underscores the severe risks associated with phishing attacks in the cryptocurrency space, particularly involving high-value assets. The attack exploited a minor security lapse—signing an unknown transaction—highlighting the critical need for vigilance and stringent security measures in managing crypto assets.

Investigation by: Tushar Tiwari, Analyst @ Blockscope

For more information, please reach out to us at [email protected]

Disclaimer: Best Effort Investigation

This investigation and its findings represent our best effort based on the information available at the time. However, please be aware of the following limitations:

• The data used in this investigation may contain inaccuracies, omissions, or errors.

• Information sources may be incomplete or subject to change.

• New evidence may emerge that could alter the conclusions.

• Analysis and interpretations are based on current understanding and may evolve.

We have made every reasonable attempt to ensure accuracy, but cannot guarantee that all information is entirely correct or complete. This report should be considered a snapshot of our current knowledge and understanding, subject to revision as new information becomes available.