The provider of Proof-of-Stake (PoS) blockchain nodes Ankr was the victim of a hack this Friday, July 1st. The RPC (“Remote Procedure Call”) gateways provided by the company to access the Polygon and Fantom networks were hijacked in order to extract funds from its customers. Let’s take a look at the hack.
Ankr users encouraged to reveal their seed phrases
On Friday, July 1, the Proof-of-Stake (PoS) blockchain node provider Ankr was the target of a hack. The hacker(s) managed to compromise the RPCs for the Polygon (MATIC) and Fantom (FTM) networks.
In practice, users attempting to access the Polygon (MATIC) and Fantom (FTM) blockchains via the RPC gateways provided by Ankr were presented with an error message encouraging them to disclose their “seed phrase” (also known as the secret phrase or recovery phrase). Once in possession of this simplified version of the victim’s private keys, the hacker(s) could access their wallets to steal their funds.
Attention please, attack on @0xPolygon is ongoing right now!
Users see an RPC error asking users to urgently reset their seed on polygonapp net (looks like this is wether DNS hijack or a form of a supply chain attack).
Just a scam popup to bring you to a page to put your seed. pic.twitter.com/fZxtlkKeDN
– CIA Officer (@officer_cia) July 1, 2022
Hijacking of domain name behind hack
According to Chandler Song (co-founder of Ankr) and Mudit Gupta (Polygon’s head of IT security), the source of the hack is believed to be Gandi, Ankr’s domain name provider (DNS), which transferred control of the Ankr account to the hacker. It is not yet known how he did it, but he may have had the help of an accomplice at Gandy.
Gandi (customer agent compromise?) transferred control of Ankr’s account to the attacker and that was the root cause of the DNS Hijack.
Ankr acted swiftly and has regained access to the account.https://t.co/UgLPD63rYK
– Mudit Gupta (@Mudit__Gupta) July 1, 2022
It is thus by a domain name hijacking that the hacker would have succeeded in redirecting users to a fraudulent address having affected the RPCs of Ankr for the Polygon (MATIC) and Fantom (FTM) blockchains, so that the users of the platform fall on this famous error message asking them for their seed phrases.
Use other RPCs to access Polygon (MATIC) and Fantom (FTM)
Simply put, RPCs allow users to connect their wallets to a blockchain. For example, when you connect a new blockchain to a wallet like Metamask, you do so via an RPC. To better understand this, we invite you to read our tutorial on how to connect the Avalanche blockchain (AVAX) to Metamask.
As Wil, blockchain expert and fundamental analysis specialist for our private group the Grille-Pain points out:
“There are a multitude of RPCs to connect to each blockchain. Only the RPCs provided by Ankr to access the Polygon and Fantom blockchains have been compromised. “
While waiting for this matter to be clarified, Ankr has sent its users new RPCs to access Polygon (MATIC) and Fantom (FTM) via a tweet posted this afternoon.
We are investigating some reported issues on our community @0xPolygon and @FantomFDN RPCs.
‼️For the time being, please use https://t.co/LcnNn1OIWH and https://t.co/LrPIztRL1y
– Ankr (@ankr) July 1, 2022
In the early evening, the company tweeted again to say that the RPCs of the Polygon (MATIC) and Fantom (FTM) networks had been fully restored, adding that all their services were working properly. Ankr took the opportunity to confirm that it had indeed been the victim of a domain name service (DNS) attack.
This happened because a third-party we use for DNS gained access to a way to modify some settings on our accounts.
DNS is unfortunately not decentralized.Moreover ‼️The RPCs from https://t.co/Q8fL5Y3bS2 has never been affected.
– Ankr (@ankr) July 1, 2022
If you prefer, it is also possible to connect securely to both blockchains using RPCs provided by other companies, such as Chainlist.
Polygon was also keen to stress that the hack did not affect the Proof-of-Stake blockchain, the second-layer solution used by the general public.
The Polygon PoS chain is running smoothly. Here are some updates.
[1/2]
– Polygon – MATIC (@0xPolygon) July 1, 2022
This DNS attack is reminiscent of the one that hit Convex and other DeFI protocols a few days ago. In any case, it is a good reminder for all cryptocurrency users. In the future, never share your seed phrase on the internet, especially if someone asks you for it.