Analysis of Balancer BGP Hijacking Incident

SlowMist
5 min readSep 20, 2023

Update(2023/09/21):

We double checked our monitoring data, @realScamSniffer ’s monitoring data and Balancer’s description, this is not a certain BGP hijacking. The coincidence of time puzzled us. We look forward to Balancer’s final post-mortem report.

On September 20, 2023, our security team indicated that Balancer.fi fell victim to a BGP (Border Gateway Protocol) Hijacking attack. Users who accessed the platform via the compromised link found their wallets were at risk of phishing attacks.

Upon receiving the alert, we promptly launched an in-depth investigation. According to CloudFlare’s BGP Origin Hijack alert number 17957, the list of affected Autonomous System Numbers (ASNs) includes AS13335, which is associated with Balancer.fi. When the attack was ongoing, access to the phishing site would trigger a phishing security warning issued by CloudFlare.

Detailed Analysis:

  1. A query was conducted for the DNS resolution records of the Balancer.fi domain (https://bgp.tools/dns/balancer.fi). The A records indicate IP addresses 104.21.37.47 and 172.67.203.244. Both of these IP addresses are registered under the Autonomous System (AS) number AS13335, which is managed by CloudFlare.

2. Based on CloudFlare’s official records available at (https://radar.cloudflare.com/routing/anomalies/hijack-17957, AS13335 is identified among the list of Autonomous Systems (AS) compromised by the BGP Origin Hijack attack.

3. It was revealed that the HTTPS certificate for Balancer.fi had been swapped out for a certificate controlled by the attacker.

4. The problem has now been fixed, but before it was fixed, attempting to access https://app.balancer.fi, would encounter a phishing security warning issued by CloudFlare.

5. Upon further analysis, it was revealed that the front end of app.balancer.fi contains malicious JavaScript code, specifically located at https://app.balancer.fi/js/overchunk.js.

6. Once users connects their wallets to the app.balancer.fi platform, the rogue script automatically assesses the users’ account balances and initiates a phishing attack.

7. Upon dissecting the malicious JavaScript file, the following nefarious addresses were identified:

0x00006DEAcd9ad19dB3d81F8410EA2B45eA570000
0x645710Af050E26bB96e295bdfB75B4a878088d7E
0x0000626d6DC72989e3809920C67D01a7fe030000

The SlowMist security team would like to inform users that the previously reported BGP attack targeting Balancer has been addressed. However, as a best practice for maintaining your security, we strongly recommend remaining vigilant and cautious when interacting with any platform. Always ensure you are on the legitimate site and double-check any security prompts or alerts you may encounter.

Recommended Solutions:

Implement Custom Monitoring: Develop your own monitoring systems that alert you to any BGP changes within your private network segments.

Leverage SlowMist’s MistEye: This comprehensive security monitoring solution offers both on-chain and off-chain surveillance. Its capabilities extend to frontend and backend monitoring, certificate verification, and more. It allows for real-time alerts upon detecting any anomalous changes in web pages, JavaScript, or certificates.

Opt for Industry-Leading Solutions like Akamai: Akamai provides a robust global BGP monitoring service backed by big data analytics. This allows clients to closely monitor BGP changes in their designated network ranges, ensuring timely identification and resolution of security issues.

Concluding Remarks:

Following a thorough analysis by our security experts, the incident was conclusively determined to be a targeted BGP Hijacking attack against Balancer.fi. The attackers adeptly orchestrated various tactics including careful timing, certificate forgery, and AS control, executing them seamlessly.

A critical takeaway is that while many network operators are well-versed in the risks of BGP Hijacking and have taken adequate countermeasures, the same can’t be said for numerous project teams. Many lack a full understanding, particularly concerning the risks introduced by AS changes leading to altered network paths. Given this, the likelihood of similar attacks occurring in the future remains high.

Therefore, SlowMist’s security team strongly advises project managers, internet service providers, and server hosting companies to be fully aware of such risks and to collaborate in creating a robust defense strategy. This proactive approach is essential to preclude the recurrence of such incidents. Should you require expert guidance, SlowMist’s security team is readily available for consultation.

Related Links:
https://blog.cloudflare.com/rpki/

https://medium.com/@slowmist/truth-behind-the-celer-network-cbridge-cross-chain-bridge-incident-bgp-hijacking-52556227e940

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.