The largest decentralized exchange on Cronos, MM.Finance, has suffered a front-end exploit that allowed hackers to siphon out more than $2 million in CRO tokens from users.
- The attack occurred due to a Domain Name System (DNS) vulnerability, with the perpetrator proceeding to insert a malicious contract address that would divert funds to their own private wallet.
- The stolen funds were sent to Tornado Cash, a privacy protocol on Ethereum, before moving to OKX, according to a series of tweets from MM.Finance.
- MM.Finance has given the attacker 48 hours to return 90% of the stolen funds, stating that it will contact the FBI if the deadline isn't met.
- "We have collated the addresses that have lost funds during the attack earlier via the data onchain. Over $2,000,000 will be compensated and reimbursed," the company wrote in a tweet on Thursday morning.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.