Cyber Incident Victim: MM.Finance
Date:
May 2022
Location:
United States of America
Summary
A decentralized finance platform suffered a DNS attack where hackers exploited a vulnerability to inject a malicious contract address into its frontend code, redirecting user transactions during swaps or liquidity adjustments. This resulted in over $2 million in cryptocurrency stolen, which the attacker laundered through a privacy service. Affected users lost funds when removing liquidity, as withdrawals were diverted to the attacker’s address. The platform established a compensation pool funded by waived team trading fees, initiated security reviews of its DNS configurations, and reduced reliance on certain service providers to mitigate future risks. It also publicly urged the attacker to return 90% of the stolen funds within 48 hours, threatening FBI involvement while acknowledging the exploit’s sophistication.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 4, 2022, MM.Finance—a decentralized finance platform operating on the Cronos blockchain—suffered a Domain Name System (DNS) attack resulting in the theft of over $2 million in cryptocurrency. The attackers exploited a DNS vulnerability to alter the platform’s frontend code, specifically injecting a malicious router contract address into files hosted by MM.Finance. This manipulation redirected user transactions to the attacker’s address when victims performed routine operations such as token swaps or liquidity pool adjustments. Users who interacted with the platform’s website during the attack unknowingly authorized withdrawals of their liquidity provider (LP) tokens to the attacker’s control. The malicious contract facilitated the unauthorized transfer of funds without compromising MM.Finance’s core smart contracts, indicating the attack targeted the platform’s frontend infrastructure rather than its underlying blockchain protocols.
MM.Finance confirmed the theft in a post-mortem analysis, disclosing that stolen funds were laundered through Tornado Cash, a cryptocurrency mixing service designed to obscure transaction trails. The platform initiated a compensation plan funded by redirecting all team trading fees to reimburse affected users, establishing a 45-day claims window for losses. To prevent future incidents, MM.Finance committed to auditing its DNS configurations with a third-party security firm and removing two unspecified service providers from its deployment stack to minimize attack vectors. Concurrently, the team publicly traced the stolen assets to the OKX exchange, issuing a 48-hour ultimatum for the attacker to return 90% of the funds in exchange for no legal action, while warning of FBI involvement. OKX’s CEO acknowledged an investigation into the matter but did not confirm the recovery of funds. The incident underscored operational risks associated with DNS dependencies in decentralized finance interfaces, directly impacting user trust and platform liquidity.