EtherDelta May Be Fully Compromised, Move Your Tokens
Okay, I’m officially worried about the status of EtherDelta.
Their site DNS got hacked last week during an apparent transfer of ownership of etherdelta.
But now I’m hearing that people using MetaMask are also getting their funds stolen 1 week later. So it seems they are still compromised.
If you have funds on @Etherdelta I would move them off now! I just had a large amount stolen from my account a few hours ago. Do not use the same accounts you have used before the hack, even with metamask (which I thought I was safe beause that's was using).
— Tommy World Power 💹 (@TommyWorldPower) December 26, 2017
Now today, the supposed new owners of EtherDelta are doing an ICO, raising about $60m.
Looking through their ICO materials, there are red flags everywhere. It was clearly hastily put together, full of typos.
The people listed on the team dont appear to be real. I can’t find them anywhere.
They falsely included ICORating.com as a partner, when in fact, they have never evaluated this ICO.
Overall it just feels really sketchy and scammy, like something quickly put together by a hacker that has just taken control of the site and wants to grab as much cryptocurrency as possible before getting exposed.
When evaluating these risks, we have to consider the worst case scenarios.
What if the centralized control point of EtherDelta has been compromised? What if Zack himself, who has full control over domains and code has been compromised? What if he is being coerced or otherwise not acting on his own free will?
I think this is exactly what it would look like: accidental hacks, change in management to fake profiles, shady ICOs, theft of all funds going through the exchange.
If this is the case, what is your exposure? How can you protect yourself?
If everything is fully compromised, its likely that any wallets used with etherdelta are not safe. Certainly any tokens you are trading on etherdelta is not safe. But its possible that anyone using etherdelta may have inadvertently signed a contract which has some sort of backdoor in it.
Full audits of any etherdelta transactions need to be performed to prove their safety.
How to protect yourself
The easiest way to protect yourself right now, is to move all your token to a new address, not used with etherdelta.
You can see any pending deposits you have on etherdelta: https://deltabalances.github.io/
Withdraw them now.
Move all your tokens from your addresses used on etherdelta to a brand new address, and dont use etherdelta with that address.
If you must use etherdelta for something, use a dedicated address that only exposes the particular tokens you need to send.
This may be overkill, but in the case of any backdoors, malicious contracts, or other compromises, you’ll be happy that your tokens are safe in a clean address.
If anyone has information confirming or disproving any of my warnings here, please tweet me so I can update the article.
I’ll be avoiding usage of etherdelta indefinitely as it seems that either they are completely compromised, or the new management is quite careless.
Update: Technical Analysis
The biggest threat comes from DNS poisoning, if the site was hacked, or if it was sold to malicious hands.
When users interact with it, their MetaMask transactions could be routed to a different Ethereum address, this way user funds could be effectively stolen.
There could be more sophisticated attacks, but after doing some research I have not been able to find concrete evidence of them happening.
When users deposit funds to EtherDelta, they execute two ERC20 instructions:
One is the
approve method call, which gives the smart contract the ability to call
transferFrom and withdraw funds multiple times up to the amount defined (this is used to execute trade orders).
Additionally they use
transfer call that effectively moves the tokens from one account to another (used to deposit your funds to the ED balances).
More info here: https://theethereum.wiki/w/index.php/ERC20_Token_Standard.
There is a Github issue and a paper that explains a possible and kind of more complicated vulnerability that can take place, taking advantage of a previously called
approve call and a second
approve`in pending state: https://github.com/JincorTech/ico/issues/40.
If such vulnerability exists anyway, the biggest risk is if the attacker somehow trade them for a low price to their address, because there is no built-in method to transfer from one address to another. All interactions in the smart contract happen between the user and the EtherDelta smart contract
Exploring their smart contract code, there is a definition for an admin account that has a few special privileges related to controlling the fees of the platform.
The admin recently made some changes on this transaction https://etherscan.io/tx/0xe808f6d5de61fdd886b9f01249a5637a99ccb5d1bff5cff7585519fdab391676 changing the destination of fees to
Until the situation is cleared, it’s recommend that you to interact directly with the smart contract, it’s possible to use MyEtherWallet, as explained here: https://www.youtube.com/watch?v=slru097RrfM.
withdraw method to get your Ether back from the contract, and
withdrawToken providing the smart contract of the token you want to withdraw. The amount must be provided in Gweis. You can check the exact value querying the EtherDelta smart contract here: https://etherscan.io/address/0x8d12a197cb00d4747a1fe03395095ce2a5cc6819#readContract
It’s important to clarify that private keys should not be compromised if you have used MetaMask or a Hardware wallet, because these interfaces are design only sign transactions, they do not share the private key with any third parties.