A joint report by X-explore and WuBlockchain has revealed that the recent API bot attack on FTX and 3Commas had further reaching implications than first believed.
The attack on FTX, which happened Oct. 21, utilized 3Commas technology and a phishing scam to take control of several users’ API keys.
API Key Phishing scam exploits
Once the keys were obtained, it was then possible for the attacker to exploit specific trading pairs to steal funds. FTX issued a statement offering to refund the affected users as a “one-time thing,” according to CEO Sam Bankman-Fried. However, according to a report, the exploit has been discovered to have been put into practice on both the Binance US and Bittrex exchanges.
“X-explore found that the attackers in the FTX&3commas API theft also attacked Binance US and Bittrex exchanges, stealing 1053ETH and 301ETH respectively. At present, the attack on Bittrex is still in progress.“
How the exploit works in practice
The exploit in question used low-volume trading pairs to counter-trade against the compromised account from which the API key was stolen.
A stolen API key will often not let a user withdraw funds from the account but will allow an attack to trade on their behalf. In rare situations whereby a user has left the API permissions entirely open, an attacker may be able to withdraw funds. However, should this have been the case, the responsibility would likely lie simply on the user who set up their API key without basic security measures.
Regarding this ongoing exploit, the attacker has not withdrawn funds directly but instead used a low-volume trading pair to siphon money into their account using a sales book with few orders. Where an order book has few entries, it is possible to manipulate the price for the attack to acquire tokens at a rate below market value before exchanging them for another cryptocurrency.
The attacker will lose funds to fees and other legitimate traders, but as they are trading with someone else’s crypto, this is likely not a significant concern.
Additionally affected exchanges
The report by X-explore and WuBlockchain stated that 1053ETH was stolen from Binance US between October 13 and October 17. The report also noted that the attacker likely used the SYS-USD trading pair, which has an average trading volume of just $2 million.
A similar attack occurred on Bittrex, where a total of 301ETH was stolen between October 23 and October 24. The report argued that the likely target was the NXT-BTC trading pair which unusually has the second-largest spot trading volume on Bittrex. In the days before the exploit, the NXT-BTC volume was much lower and thus was deemed suspicious.
X-explore comments on the events
In the report’s summary, X-explore stated that the analysis revealed a “new way of theft” within the crypto space. It highlighted three key areas that should be reviewed to reduce the likelihood of a similar exploit in the future. Basic security, spot token security, and transaction security were singled out as areas to be addressed.
Regarding basic security, X-explore claimed that exchanges must “design more secure product logic to ensure that phishing attacks do not damage users.” However, given that the users seemingly had at least the base level of security on their API keys (no funds were reported to have been directly withdrawn), it is hard to establish what else could be done here.
In order for API keys to work as intended on systems such as 3commas, there cannot be an additional human intervention for each trade. 3commas allows users to take advantage of automatic trading strategies with a high frequency, which, once set up, run automatically based on a set of defined criteria. Therefore, the solution to improving security will be a challenging one for exchanges on this front.
However, fighting and dealing with phishing attacks as an attack vector in its own right is something that exchanges can review. Some deploy secret codes that a user can check for to ensure that the message is genuine. Unless an exchange account is also hijacked, users can ignore and report emails that do not contain their secret code.
The low volume of some spot trading pairs is surely a vulnerability that may need to be addressed, as X-explore reasoned that the current bear market had opened this attack vector.
“In order to provide users with more trading options, the top exchanges have launched a large number of tokens. After the market popularity of some tokens passed, the trading volume dropped sharply, but the exchanges did not delist them.”
The last point from X-explore in the report is related to transaction security. X-explore highlighted that the exploited trading pair on FTX saw “transaction volume increases by a thousand times.” it gave no recommendations as to a potential action to be taken when abnormally high volumes are recorded, however.