Post mortem on Zerion’s asset phishing attack

A recent scam token appearing on Zerion highlights the challenge of balancing permissionless token curation and user safety

In February, an attacker deployed a contract designed to mimic a Balancer pool. This pool appeared on Zerion long enough for one user to interact with it and around $30K in funds were stolen. Fortunately, no one else was affected.

This exploit was on Zerion’s backend security and not the Balancer protocol itself. We immediately resolved the issue with the user and added code to validate each pool against Balancer’s on-chain registry. We’ve also spent the past month doing a thorough security audit and have made key improvements to ensure this never happens again.

This may be the first attack of its kind on a DeFi aggregator, so we felt it was necessary to break down exactly how this happened and open the dialogue with our community on how we can build a more secure product.

How the attack happened

This attack involved a smart contract designed to mimic a real Balancer pool, with a catch: the contract was built for one-way transactions, accepting deposits but not withdrawals. Several features enabled the pool to bypass detection by our backend:

  1. The pool held legitimate underlying tokens
  2. The pool’s contract emitted the same event logs as other Balancer pools
  3. The contract reported a large token supply

Consequently, our backend interpreted the fake contract as a real Balancer pool and the token appeared on our Invest page.

This attack also exploited one of our user-facing security features. The DeFi blue tick is an icon that appears next to assets that appear in at least two Token Lists. While this feature says nothing about the quality of the projects those tokens represent, users can at least proceed knowing they’re not interacting with a duplicitous smart contract. This logic extends to derivative-type tokens on protocols like Uniswap, Balancer and Curve. If the underlying assets of a pool are verified in at least two Token Lists, we assume the pool itself is also legitimate.

In this case, because the contract behaved exactly like any other Balancer pool and held legitimate underlying tokens, the asset was assigned a blue tick.

Actions we’ve undertaken to improve security

As a first step, we disabled the automatic blue tick for all derivative tokens on Zerion — this includes pools, indexes, automated strategies, and collateral tokens.

Previously, we looked at a derivative’s underlying assets and the event logs emitted by the smart contract, but this exploit has proven that this approach is too optimistic — even a unique identifier can be manipulated in smart contracts that don’t belong to a particular protocol. We’ve now added a third step to the verification process, where we carefully review each protocol’s on-chain registry to ensure that assets that appear on Zerion are also verified by the protocol. Since implementing this step, we re-enabled the blue tick for validated protocols.

We want to emphasize that for conventional non-derivative tokens, the blue tick works as intended. We also want to remind users to always err on the side of caution when interacting with DeFi assets. Ultimately, due diligence rests in your hands. The blue tick will help to ensure you’re interacting with legitimate assets (and we can be sure of that with this recent round of improvements), but it is not an indicator of the quality of a token. In other words, the tick doesn’t guarantee that the asset is not a scam.

Future precautions

Google has recently seen several phishing attacks on crypto wallets, while protocols like Furucombo and Alpha Finance have suffered “evil contract” hacks. To our knowledge, this is the first attack of its kind on a DeFi aggregator.

This was not a smart contract attack, and neither was it a typical website phishing attack. We call this an asset phishing attack because the fake asset didn’t target a particular protocol, but targeted an aggregation interface that would present the token as legitimate.

One of DeFi’s biggest challenges is balancing permissionless token curation with user safety. We face a paradox: on the one hand, zero-custody interfaces like ours mean that it is ultimately the user’s responsibility to vet the assets they trade. On the other hand, we can’t ignore the fact that more and more people are using DeFi aggregators to access the entire DeFi ecosystem. We want to make that experience as easy and as safe as possible.

Our approach to managing this complex challenge is to stand by our mission of providing open access to DeFi opportunities for all. This means we won’t be gatekeepers of what users can and can’t trade — but we are making an effort to ensure that the design of our product prevents users from unknowingly interacting with malicious tokens.

We invite our community to be a part of the conversation on how we approach user safety, either by chatting to us on Discord or voting for new features on our public roadmap.

Bug Bounty

Zerion has an active bug bounty program that anyone can participate in — learn more by emailing inbox@zerion.io.