Analyst: Friend.tech Front-End Breach Could Be More “Devastating” Than Balancer’s

One of the core developers behind DeFiLlama, a portal that analyzes decentralized finance (DeFi) protocols, believes that a hack on Friend.tech, a decentralized social media network on Base, a layer-2 platform backed by Coinbase, will be more “devastating” than the recent breach on Balancer whose front-end was exploited and over $238,000 worth of assets reportedly stolen. 

In the analyst’s assessment, the social media network can be compromised in three ways, stating that any exploit initiated from the front end could see Friend.tech users lose funds simply by “opening the app,” adding that they won’t have “to do anything.”

3 Ways Friend.tech Users Can Lose Funds If Hacked

Upon analyzing Friend.tech’s security model, the analyst explained that if their direct iframe was compromised, a hacker could gain unauthorized access to the user’s funds.

In web development, the direct iframe allows users to embed links, which can be from social media or even Google. All the developer needs is to enable HTML addition before formatting using CSS.

While the direct iframe is easy to use and flexible, it also introduces security risks. This is because by allowing anyone to insert HTML code, malicious agents can choose to embed corrupted code.

Besides direct iframe, the analyst also pointed out a hack on Friend.tech’s privy iframe can lead to loss of funds. He notes that the platform’s privy iframe holds the private keys, allowing users to easily connect the dapp with their non-custodial wallets such as MetaMask.

Privy iframe is critical in DeFi, forming the critical infrastructure for decentralized exchanges (DEXs) and non-fungible token (NFT) marketplaces operating on public networks like Ethereum or the BNB Chain. 

BNB price on September 21 when Friend.tech came under focus| Source: BNBUSDT on Binance, TradingView

A privy iframe allows developers to embed a Privy wallet. A Privy wallet is non-custodial, meaning the end-user has control of the necessary private keys. At the same time, they are isolated to ensure that user private keys cannot be accessed by third parties or even other code.

Moreover, the analyst notes that if Friend.tech’s privy iframe loses data, funds wouldn’t be accessible since they hold 2/3 shards, essentially equating to losing private keys.

The Balancer Hack

On September 19, the front-end of Balancer, a DeFi protocol that allows users to create and manage custom liquidity pools, was hacked. Peckshield, a blockchain security platform, estimated that at least $238,000 of assets had been stolen before Balancer asked users not to interact with the portal. When interacting with the protocol, some users noted that they were requested change chains and approve malicious contracts.

Statistics from DeFiLlama states that at least $7 billion of assets have been stolen through hacks. According to the DeFi analytics platform, besides the Balancer hack, other notable exploits resulting in significant loss include the Remitano breach where hackers stole $2.7 million, and Curve’s where over $61 million was lost.

Total amount of assets stolen via hacks| Source: DeFiLlama

Read Entire Article


Add a comment