Hackers compromised the ZEROBASE front-end

Hackers took control of the front-end interface of decentralized zero-knowledge (ZK) proving network Zerobase late Friday, resulting in losses for more than 270 users and draining over $240,000 worth of USDT. 

According to on-chain investigators Lookonchain, several users reported unauthorized fund movements at around 2:30 PM UTC yesterday, after interactions with what appeared to be the official Zerobase interface. 

The attackers did not breach the underlying blockchain infrastructure, but exploited the platform’s front-end which could be accessed directly through a web interface. They deployed a phishing smart contract on BNB Chain to impersonate Zerobase, which tricked users into connecting their wallets and approving USDT spending permissions.

Once approvals were granted, the attackers were able to siphon funds without further user interaction, with one affected user alone reportedly lost 123,597 USDT, Lookonchain found.

Front-end attack on Zerobase interface causes $240K loss

According to blockchain cybersecurity platform HashDit, the malicious contract address linked to the incident was identified as 0x0dd28fd7d343401e46c1af33031b27aed2152396. The contract was specifically made to hijack wallet connections and extract approved tokens.

Zerobase’s hack was different from the regular smart contract exploits, because a front-end compromise does not need a breacher to tamper with the blockchain’s security. They can manipulate the interface and add malicious codes to intercept transactions or redirect assets once approvals are in place.

These attacks take place at the user interaction layer, so they can be difficult for non-technical users to detect even as their funds are being rerouted. Lookonchain pleaded with affected users to immediately review their wallet permissions and use revoke.cash or similar services to remove any suspicious or unnecessary contract approvals from their wallets.

Zerobase acknowledged the issue in a post on X, warning users who had interacted with the malicious contract and adding that it had implemented automatic safeguards for affected wallets.

“When you access ZEROBASE Staking, if your wallet is detected to have interacted with this contract, the system will automatically block deposits and withdrawals until the approval to the phishing contract is revoked,” the company wrote.

The Binance Wallet team also confirmed it blocked the website domain suspected of hosting malicious activity. It also blacklisted the relevant contracts to prevent more authorization risks, and would automatically send alerts to affected users within 30 minutes advising them to review their approvals.

“We will continue to monitor the situation and take necessary measures to ensure user security. We will share any further updates as soon as possible,” the Binance team noted.

Binance with questions to answer after Upbit hack discovery

The Zerobase incident comes on the backdrop of Binance’s scrutiny over its response to the Upbit exchange hack that occurred late November. Cryptopolitan reported that South Korea’s regulators accused the world’s largest exchange by volume of only partially complying with a freeze request from Upbit.

On November 27 hackers stole a significant amount of digital assets from the exchange and later laundered the funds through more than a thousand wallets. That same day, South Korean police and Upbit formally requested Binance to freeze approximately 470 million won worth of stolen Solana tokens traced to its platform.

Binance froze only about 80 million won, or roughly 17% of the requested amount citing the need for “fact-checking” before taking any action. South Korean authorities were notified that the freeze had been completed around midnight on November 27, 15 hours after the initial request was submitted.

Upbit later disclosed the perpetrators had exploited a vulnerability in its Solana-based hot wallet, siphoning funds from 24 Solana ecosystem tokens in less than an hour. Losses from the attack were estimated at 44.5 billion won, equivalent to about $33 million at the time. 

The exchange later confirmed that all customer losses would be covered using internal reserves, seeking to reassure users amid heightened concerns about platform security.

In a separate but related blockchain security event, blockchain security firm CertiK detected suspicious Tornado Cash deposits linked to anomalous withdrawals from 0G Labs on Friday. 

An unidentified party made a withdrawal of approximately 520,000 0G tokens, valued at around $516,000, using a privileged emergencyWithdraw function. The funds were first transferred to the address 0x617E8e3C07bEF319F26C1682270A19e89Ea2bf75.

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.