EtherDelta May Be Fully Compromised, Move Your Tokens

Okay, I’m officially worried about the status of EtherDelta.

Their site DNS got hacked last week during an apparent transfer of ownership of etherdelta.

It was reported and announced that it was a phishing site, and only those you manually imported their private key got their funds compromised, but MetaMask users were safe.

But now I’m hearing that people using MetaMask are also getting their funds stolen 1 week later. So it seems they are still compromised.

Now today, the supposed new owners of EtherDelta are doing an ICO, raising about $60m.

Looking through their ICO materials, there are red flags everywhere. It was clearly hastily put together, full of typos.

The people listed on the team dont appear to be real. I can’t find them anywhere.

They falsely included as a partner, when in fact, they have never evaluated this ICO.


Overall it just feels really sketchy and scammy, like something quickly put together by a hacker that has just taken control of the site and wants to grab as much cryptocurrency as possible before getting exposed.

But if only the site were hacked, then why is the EtherDelta twitter account announcing it? Why is Zack the creator of etherdelta pushing commits to publish this shady ICO?

When evaluating these risks, we have to consider the worst case scenarios.

What if the centralized control point of EtherDelta has been compromised? What if Zack himself, who has full control over domains and code has been compromised? What if he is being coerced or otherwise not acting on his own free will?

I think this is exactly what it would look like: accidental hacks, change in management to fake profiles, shady ICOs, theft of all funds going through the exchange.

If this is the case, what is your exposure? How can you protect yourself?

Potential Exposure

If everything is fully compromised, its likely that any wallets used with etherdelta are not safe. Certainly any tokens you are trading on etherdelta is not safe. But its possible that anyone using etherdelta may have inadvertently signed a contract which has some sort of backdoor in it.

Full audits of any etherdelta transactions need to be performed to prove their safety.

How to protect yourself

The easiest way to protect yourself right now, is to move all your token to a new address, not used with etherdelta.

You can see any pending deposits you have on etherdelta:

Withdraw them now.

Move all your tokens from your addresses used on etherdelta to a brand new address, and dont use etherdelta with that address.

If you must use etherdelta for something, use a dedicated address that only exposes the particular tokens you need to send.

This may be overkill, but in the case of any backdoors, malicious contracts, or other compromises, you’ll be happy that your tokens are safe in a clean address.

Whats next?

If anyone has information confirming or disproving any of my warnings here, please tweet me so I can update the article.

I’ll be avoiding usage of etherdelta indefinitely as it seems that either they are completely compromised, or the new management is quite careless.


Update: Technical Analysis

By Diego Araos of

The biggest threat comes from DNS poisoning, if the site was hacked, or if it was sold to malicious hands.

When users interact with it, their MetaMask transactions could be routed to a different Ethereum address, this way user funds could be effectively stolen.

There could be more sophisticated attacks, but after doing some research I have not been able to find concrete evidence of them happening.

When users deposit funds to EtherDelta, they execute two ERC20 instructions:

One is the approve method call, which gives the smart contract the ability to call transferFrom and withdraw funds multiple times up to the amount defined (this is used to execute trade orders).

Additionally they use transfer call that effectively moves the tokens from one account to another (used to deposit your funds to the ED balances).

More info here:

There is a Github issue and a paper that explains a possible and kind of more complicated vulnerability that can take place, taking advantage of a previously called approve call and a second approve`in pending state:

If such vulnerability exists anyway, the biggest risk is if the attacker somehow trade them for a low price to their address, because there is no built-in method to transfer from one address to another. All interactions in the smart contract happen between the user and the EtherDelta smart contract 0x8d12a197cb00d4747a1fe03395095ce2a5cc6819.

Exploring their smart contract code, there is a definition for an admin account that has a few special privileges related to controlling the fees of the platform.

The admin recently made some changes on this transaction changing the destination of fees to 0xa6dad41066584f15659e718e49afed891e807fdc

Until the situation is cleared, it’s recommend that you to interact directly with the smart contract, it’s possible to use MyEtherWallet, as explained here:

You use withdraw method to get your Ether back from the contract, and withdrawToken providing the smart contract of the token you want to withdraw. The amount must be provided in Gweis. You can check the exact value querying the EtherDelta smart contract here:

It’s important to clarify that private keys should not be compromised if you have used MetaMask or a Hardware wallet, because these interfaces are design only sign transactions, they do not share the private key with any third parties.