Discord9 months ago

XNET Wallet Compromise and Security Recommendations

Summary
  • Unknown actors compromised two MetaMask hot wallets associated with the XNET project, resulting in the theft of 200,000 $XNET tokens.
  • The incident suggests a private-key extraction exploit and raises concerns about the security of the MetaMask browser extension.

@everyone - followup to original wallet attack post:

Around 9 AM Pacific Time, unknown actors compromised two MetaMask hot wallets containing approximately 200,000 $XNET and dumped the coins on the Quickswap and IoTeX DEXs. These were personal wallets, not XNET project wallets. When we were made aware of the incident in progress, we posted on our discord to alert the community in case this represented a larger attack. However, as of 3 PM Pacific no other XNET-holding wallets have shown unusual activity, and we believe the incident was confined to the two wallets.

This appears to be a private-key extraction exploit, since a range of transactions across Polygon and Ethereum were initiated, and thousands of dollars of a variety of crypto was stolen. The two wallets were not controlled by the same individual, but had exchanged tokens in the past. We don’t yet know if the attacker was targeting XNET, but given the connection between wallets it could just as easily have been the coincidence of sharing a common vulnerability.

Having interviewed the wallet owners we’ve been unable to determine an obvious security lapse. We’ve reported the particulars to MetaMask, and they are reviewing the incident. At this time, we can’t rule out the possibility that there is an unreported vulnerability in the MetaMask browser extension.

Now would be a good time to review your crypto custody practices — we urge you to store large amounts of crypto in a hardware wallet, or ideally a mutisig with offline hardware wallet, which is what we use for XNET project pools. If there are any new developments, we will let you know. Be safe out there.

📣 Related news

Loading news...

💼 DePIN Hub Newsletter

We bring you real world use cases of web3 through DePIN. And btw, you can generate passive income along the way!