Review of the whole process:3Commas API KEY ‘leak’, FTX user funds was stolen by contra trade
Review of the whole process:3Commas API KEY ‘leak’, FTX user funds was stolen by contra trade
On October 21, a Chinese user broke the news to WuBlockchain: his FTX account suddenly went "crazy" on the night of the 19th with more than 5,000 transactions, and his account assets of $1.6 million were close to zero, including more than 10 BTC, hundreds of ETH and thousands of FTT, all stolen by DMG Pair‘s contra trade. The user started using the quantitative robot 3Commas 1 year ago, the FTX API does not need to be updated, so it has never moved or saved the API.
FTX feedback is due to someone who has access to the API KEY through the REST API, which may have leaked the user API KEY. FTX said it needs to get a notice of case to cooperate with related work such as freezing, but no response after the user submitted a report receipt. 3Commas said there was no leak.
Victim 1:
It is worth noting that FTX customer service initially replied that "you are not the only one affected", but then FTX customer service stopped contacting and said it was a misunderstanding.
The question came to 3Commas, which responded promptly after WuBlockchain said the report: "At the moment, 3Commas considers this matter a top priority. We use 2FA and OTP etc. with the highest security when logging in to ensure that user accounts are always secure. We are in contact with our users to ensure that they receive all the support they need.
Subsequently, 3Commas made an announcement:
On the 20th of October, the 3Commas team was alerted to an incident that occurred where a number of partner exchange API keys connected to 3Commas and used to perform unauthorized trades for DMG cryptocurrency trading pairs on partner exchange accounts.
During a collaborative investigation conducted by 3Commas and our partner exchanges, a number of API keys were found to be linked to new 3Commas accounts that were created and used for the first time to perform unauthorized trades for the DMG trading pairs on the partner exchange. The API keys were not taken from 3Commas but from outside of the 3Commas platform.
Our team widened the investigation and found several fake 3Commas websites that were used to "phish" 3Commas users by replicating the design of the 3Commas web interface and captured API keys from 3Commas users that had accidentally used the fake website to try and connect their exchange accounts.
The API keys were then stored by the fake website and later used to place the unauthorized trades on the DMG trading pairs on the partner exchange.
If you have an exchange account connected to 3Commas and it is saying the API is "invalid" or "requires updating", then it is possible your API details were compromised and the API key has been deleted by the partner exchange. We urge you to create new API keys on that exchange and update your linked exchange accounts in 3Commas using the guide below to ensure any trades or deals you have active will be unaffected.
learn more: https://3commas.io/blog/3commas-security-update-october-20
After the announcement, however, more victims began to appear.
One victim from Paraguay told WuBlockchain that he lost nearly 104 bitcoins in the attack, stressing that FTX had known about the vulnerability since October 19, two days after I was attacked! 3Commas said it was a phishing attack, but I never used my 3Commas account to set up the bot, and the account had even expired and been downgraded to a free account. I have not had access to the account for over a year and I have never saved keys or API keys to any document, but only used it to set up an FTX connection over a year ago. I am also an IT engineer and my laptop and smartphone are protected by Norton 360 and other mechanisms that actively prevent any phishing or virus attacks.
Another victim of quantitative trading from China also reported never having used 3Commas. In his screenshots, the coin theft on the 19th, 20th, and 21st all occurred in relation to DMG's counter-attack, but surprisingly FTX did not take precautions against this.
As public opinion festered, SBF finally responded on October 24, saying it would pay $6 million in compensation, but that "this is a one-time event and we will not make a habit of compensating for phishing by counterfeit versions of other companies." The attackers of the FTX contra trade incident have transferred the profits they made to Binance and FixedFloat exchanges. SBF says it will absolve the attackers of any legal liability if they return 95% of the stolen funds within 24 hours.
So far, both FTX and 3Commas have insisted that the API KEY was compromised by a user accessing a fake phishing site, which the victims certainly don't agree with. But at the heart of the matter is the fact that the API KEY was leaked and uniformly contra trade on FTX. Since the data is in the hands of 3Commas and FTX, the information disclosed is very sparse, so the truth may not be fully understood by the outside world. All in all, we need to be more careful about the authorization and management of API KEY.
Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish