7 August 2024 Incident: Post Mortem Report From the Nexera Team

Nexera
7 min readAug 9, 2024

--

A recent incident targeted Nexera Fundrs, resulting in the unauthorized transfer of $NXRA tokens from its smart contracts. This post-mortem report provides a detailed overview of what happened, how we responded, and the steps we’re taking to secure our platform and safeguard our community.

What Happened

On 7 August 2024, an external actor gained unauthorized access and transferred $NXRA tokens from Fundrs’ Staking Contracts on Ethereum. We immediately identified the root cause of this incident and paused the $NXRA token contract, effectively halting all on-chain transactions involving $NXRA tokens.

Out of the 47.24M $NXRA tokens that were stolen, the attackers were only able to sell 14.75M tokens (the equivalent of approximately USD 449K). We successfully removed the remaining 32.5M $NXRA balance from the attackers’ wallet, preventing further loss.

Flow of tokens from impacted contracts. Diagram from PeckShield.

What Was Affected

The attackers gained access to credentials to manage smart contracts for the Fundrs platform. Using these credentials, they transferred $NXRA tokens from the Fundrs staking contracts on Ethereum and accessed the vesting contract on Avalanche. They have never been able to access $NXRA tokens in users’ wallets.

Fundrs smart contracts have been rigorously audited, and it has been confirmed that the issue did not stem from them. Users who only staked on the platform don’t need to take action. However, to ensure the security of assets, it is a good practice to review token approvals regularly.

Users can opt to revoke token approvals from Fundrs smart contracts, especially if they have participated in fundraising rounds. We have published a companion article that walks through this process, which can be read here.

Nature of the Attack

An analysis of the malicious code used in the attack verified that it was BeaverTail malware. The method of deployment and escalation is consistent with state-backed threat actors and their initial attack approach. Further analysis verified that the InvisibleFerret malware would be deployed if specific conditions on the compromised client were met. We have published a companion article that discusses our investigation of the malware involved in this incident, which can be read here.

Understanding the type of malware and how it works enables us to deploy specific mitigations to address any future breaches of this type. We can also confirm that there is no threat of further internal escalation, no confidential data has been breached, and that other areas of the business remain safe.

How It Unfolded

The following is an abridged version of the timeline of events from the beginning of the incident until our initial resolution. We have acted quickly and decisively thanks to our internal security processes and our partners’ involvement.

  • 02:10 UTC, 7 August 2024 — Malicious code was executed on a machine, enabling the attackers to access credentials to manage smart contracts on Fundrs. During this time, the attackers investigated the information they managed to retrieve and prepared their attack remotely.
  • 05:05 UTC — The attackers transferred ownership of the impacted contracts on Ethereum, blocking our ability to upgrade or reassign ownership.
  • 05:28 UTC — The attackers transferred the $NXRA balance from the impacted contract on Ethereum and subsequently started selling on Uniswap.
  • 05:29 UTC — A team member received an alert. Our internal procedures include further investigation and corroboration, which helps us filter out false positives.
  • 05:35 UTC — A representative from the Binance Security Team publicly messaged us in the Nexera Telegram community chat, asking to speak to someone urgently.
  • 05:58 UTC — Upon further investigation and corroboration from the Binance Security Team, the issue was determined to be valid and escalated further.
  • 06:13 UTC — A technical team started validating the issue.
  • 06:19 UTC — The issue was validated, and a task force was set up to investigate 24/7.
  • 06:28 UTC — We paused the $NXRA token contract, beginning on Ethereum and then on Avalanche, Arbitrum and Polygon.
  • 06:29 UTC — We started informing exchanges of the pausing of $NXRA tokens and requested to suspend services.
  • 07:19 UTC — Hypernative Labs and Binance joined the task force to help identify the impact.
  • 07:22 UTC — The root cause was identified, confirming that the issue did not stem from our smart contracts. The task force started working on identifying the impact and drafting the mitigation plan.
  • 07:30 UTC — We kickstarted the process to contact law enforcement in the Netherlands, with ultimate contact made with the Dutch police at 07:47 UTC.
  • 08:08 UTC — The attackers transferred ownership of impacted contracts on Avalanche.
  • 09:40 UTC — The attackers transferred the $NAI balance from the Avalanche contracts.
  • 09:49 UTC — We paused the $NAI token contract, beginning on Avalanche and then on Ethereum.

At this point, we had identified the root cause and impact of the attack and proceeded to implement our response plan.

Our Immediate Response

  1. We initiated a pause on the $NXRA and $NAI token contracts.
  2. We identified the compromised credentials and impacted smart contracts.
  3. We zeroed out the $NXRA balance in the attackers’ wallet, including the balances in the impacted smart contracts they control.
  4. We attempted to transfer ownership of the impacted contracts. However, the attackers have already blocked our ability to upgrade the contracts or re-assign ownership.
  5. We contacted law enforcement and exchanges used by the attackers, requesting that related accounts be frozen and that investigative work start.
  6. Other exchanges were contacted to inform them of the incident and that the affected token would be paused.
  7. We investigated the affected machine, concluding that the breach was limited to accessing credentials to enable the smart contract takeover and ensuring that no other data were stolen.
  8. We wiped the affected machine and reset the SSO account password and sessions, which forced a login with new credentials upon rebooting the machine.
  9. We carried out internal audits, which showcased that no other credentials were taken in the attack, and any activity leading up to the breach was reviewed and found to be normal.

The Lessons We Learned From This

Internal comms were issued to all personnel, reminding them of key security processes that must be adhered to when working with externally sourced code or with keys/passphrases/mnemonics used with our environments.

Over the next week, internal audits will ensure these security measures are followed. Smart contract development will also be reviewed to ensure that hardware wallets/keys are combined with multi-sig wallets.

Staff have been alerted to these attacks via LinkedIn and other social media platforms. We have discussed this type of attack in detail in our companion article about the malware involved in the incident, which can be read here.

Staff training scheduled on the work of the Lazarus Group and other Democratic People’s Republic of Korea (DPRK) hacking groups has been brought forward to further raise awareness.

The investigation will continue in close collaboration with law enforcement and exchanges. We are fully committed to uncovering the truth and holding responsible parties accountable.

Our Next Steps

As our internal investigation wraps up, we are now focused on resuming the trading of $NXRA tokens and restoring full functionality to our platforms as follows:

  • $NXRA token — We will unpause the $NXRA token contract. This will happen in the next few hours, enabling transactions of $NXRA tokens on-chain, including DEXes.
  • CEX services — We are coordinating with centralized exchanges to resume trading on their platforms.
  • Fundrs — We are redeploying our Fundrs smart contracts and taking the platform back online.
  • Bridge — The Bridge will be brought online after we have concluded the necessary tests on the Fundrs platform.

Stay Safe and Informed

The Nexera team will continue to work around the clock to address any remaining issues from this incident, and we will share more updates with our community on our progress.

We have published a technical analysis of the malware involved in this incident and suggested steps for anyone to protect themselves from this type of attack. The article can be read here.

Regularly reviewing token approvals is a good security practice, regardless of the protocols and dApps users interact with. Users can further protect themselves and ensure the security of their assets by opting to revoke token approvals for the Fundrs smart contracts, especially for those who have participated in previous fundraising rounds. We have published a guide on how to do this, which can be read here.

More importantly, please stay vigilant of fake accounts masquerading as Nexera and only stay up to date with news and announcements on our official channels:

We continue to employ multiple measures to ensure the security of our solutions and that our users’ interests remain at the forefront of our practices.

Let’s work together to keep our platforms safe and secure for everyone!

About Nexera

Nexera is empowering the future of finance with cutting-edge open-source innovation. Nexera infrastructure seamlessly incorporates blockchain technology, facilitating on-chain and off-chain operations for simplified digital, financial, and real-world asset management.

Nexera is focused on nurturing the broader ecosystem and DAO and enhancing the utility of the $NXRA token. It is committed to promoting community growth and driving innovation in the digital asset space, including the growth and development of current and future key ecosystem partners.

Learn more about Nexera by following them on X, joining the Telegram Community, or visiting their website.

--

--

Nexera
Nexera

Written by Nexera

Nexera is empowering the future of finance with cutting-edge open-source innovation.

Responses (2)