Concentric Security Breach Post-Mortem Report
Overview of the Incident
Concentric experienced a significant security breach stemming from a social engineering attack. This incident severely compromised our operational integrity and led to a considerable financial loss, deeply affecting our community's trust and the overall stability of our protocol.
Initial Breach and Attack Methodology
The breach originated with a targeted social engineering attack against a team member, with access to the deployer wallet. The attacker, posing as a recruiter on a professional networking platform, skillfully gained the trust of our team member. This led to the installation of malware under the guise of a routine skill assessment, which compromised the team member’s computer and, critically, the private keys of the deployer wallet.
Exploitation and Impact
Having obtained access to the deployer wallet, the attacker executed a series of calculated actions:
Transfer of Contract Ownership: The attacker shifted the ownership of the ConeCamelotFactory, a vital contract in our ecosystem, from its original address to a new, attacker-controlled address.https://arbiscan.io/tx/0xd9036566a2614045219e9bead34e490fc24c9d6ca695d5348b694c3280558e3b
Upgrading the Vaults: Utilizing their newfound control, the attacker upgraded the existing vaults’ implementation to a new contract. This new contract was embedded with an admin mint function.https://arbiscan.io/tx/0xb2fa31c9bc7d5e41955cb81224545588c1a0746b8564f14a2e143dc56364020a
Minting and Draining: The admin mint function was then exploited to mint new LP tokens illegitimately. This action allowed the attacker to drain the assets from the vaults effectively.New owner: https://arbiscan.io/address/0x105f52fcc329cef4cbe25bc946f8a3738414e4a1
Financial Loss and Transaction Details
The attacker drained a total of 715.7 ETH worth of assets, equating to approximately $1.7 million, from our vaults. The initial drainage occurred through this address:https://arbiscan.io/address/0x105f52fcc329cef4cbe25bc946f8a3738414e4a1
Subsequently, the funds were distributed among three different wallets:
https://arbiscan.io/address/0x1f14e38666cdd8e8975f9acc09e24e9a28fbc42d (Tagged OKX Exploiter 2)
Efforts for Fund Recovery and Security Enhancement
In light of the recent breach, our team at Concentric is fully committed to recovering the stolen funds. Recognizing the complexity and sophistication of this attack, we have sought the expertise and counsel of several top-tier security experts and they are assisting us in tracing the stolen assets and exploring all possible avenues for their recovery. In addition, we are leveraging blockchain analytics to track the movement of the stolen funds and have contacted top exchanges like Binance, OKX and others to flag the exploiters’ addresses.
We’re working with the relevant authorities and we’re announcing a 100k reward pool for any information that could lead to the recovery of the funds. If you have any information, any lead that could help us in this situation, please reach out. Your insight could be the key to recovering the funds and safeguarding others in our community. We assure you that your help will be valued and your privacy respected.