On December 3rd, 2021, the SlowMist identified a sophisticated phishing attack on the Gnosis Safe Mutisig in the Habitat team fund. This is our brief analysis of the situation so far.
Relevant Information
Hacker’s first address: Habitat Multsig Drainer Fund Supplier 0x62a51ad133ca4a0f1591db5ae8c04851a9a4bf65
Hacker’s second address : Habitat Multsig Drainer 0x26a76f4fe7a21160274d060acb209f515f35429c
Fake Gnosis Safe Insurance contract: 0x09afae029d38b76a330a1bdee84f6e03a4979359
Fake Gnosis Safe contract:
0x3cb0652856d7eabe51f1e3cceda99c93b05d7cea
Hackers proxy contract:
0xc97f82c80df57c34e84491c0eda050ba924d7429
Real Gnosis Safe Insurance Contract: 0x34cfac646f301356faa8b21e94227e3583fe3f5f
Real Gnosis Safe Contract:
0x40a2accbd92bca938b02010e17a5b8929b49130d
Transaction ID: https://etherscan.io/tx/0x71c2d6d96a3fae4be39d9e571a2678d909b83ca97249140ce7027092aa77c74e
Our analysis
The hacker began preparing on November 23, according to our MistTrack anti-money laundering tracking system. They use Tornado.Cash and deposit 0.9384 ETH into the first address to prevent detection. They then send 0.8449 ETH to the second address to deploy the smart contract.
After the successful attack, the funds were converted to ETH using Uniswap and Sushiswap. They then transferred 56.2 ETH to Tornado.Cash To evade tracking.
Following the Transactions
The attacker created a counterfeit MultiSendCall( Fake Gnosis safe contract) 9 days before the attack and verified the contract, making it look like the real MultiSendCall(Gnosis safe contract).
After phishing for a signature from the user, the hacker can direct the calldata to the malicious contract address. The correct address should have been 0x40a2accbd92b ca938b02010e17a5b8929b49130d, but it has now been altered to 0x3cb0652856d7eabe51f1e3cceda99c93b05d7cea.
Because the attacker’s signature data is correct, it passed the multi-signature verification stage and began executing the malicious smart contract.
Looking at this contract, we discovered that it contained additional assignments; let’s take a deeper look at this code.
When the condition of payment.version <VERSION is triggered, storage[0x00] will be reassigned every time called.
When the transaction is completed, the storage[0x00] of Proxy has became 9ab0e73798 09afae029d38b76a330a1bdee84f6e03a4979359. This is the contract created by the hacker.
Since the Gnosis safe insurance address is read from storage[0x00] by the Proxy contract, now it will be changed to the hackers’ smart contract.
The hacker only needs to wait for the user to deposit enough tokens into this contract and then send a transfer function to withdraw the funds.
We discovered that the attacker was quite clever after reviewing the transaction records of the malicious smart contract.
The hacker ensured that the smart contract permitted the user to utilize other features normally to avoid detection.
When our team broke down the malicious smart contract, we discovered that it allowed the user to utilize the multisig function normally before the hacker made their move. Once the right conditions are met, it will bypass the verification and withdraw the funds.
Summary
The hacker most likely used a phishing scam to obtain a multi-signature data from a user. It then used that data to delegatecall a call to an external contract, allowing the external contract to change the data. Now it can use the slot location corresponding to the variable stored in the external contract to change the data in the current contract. Once the hacker’s contract was deployed, the Gnosis safe contract was directed to the hacker contract. By doing so, the funds can be transferred at any time without signing. The SlowMist’s security team advises that before accessing the Gnosis Safe Multisig app, make sure it is for an official website. Check the content of programs carefully so that you can identify phishing sites and malicious transaction data as soon as possible.
Additional information:
https://0xhabitat.substack.com/p/exploit
https://blog.gnosis.pm/the-0xhabitat-multisig-got-drained-an-analysis-16ab74ddf42
