Another week, another security incident happens here in the cryptocurrency industry. Last week that was Jimbos liquidity protocol; now, it's an @AtomicWallet that was exploited on Saturday, with users reporting complete losses of their crypto portfolios. Total losses have already exceeded $35 million and continue to rise.
As of Sunday (and at the time of writing), the investigation is still ongoing, and there are no new statements from the wallet account.
So, first of all, for all the users, it's time to secure your funds if you're didn't do already:
If you generated your account in Atomic wallet, even if later migrated to some other wallet, you need to move your funds to a different seed asap.
Now, let's see what we know about the hack, although mostly it's a mere statistic for now, like this thread from pseudonymous ZachXBT, known for tracing stolen crypto funds and assisting several hacked projects.
Investigators from the @MatchSystems crypto data provider published a thread with a technical overview of that hack. According to them, one of the versions is that attackers gained access to private keys stored on the server, and it's basically a "team's fraud."
In Telegram's community channels, "some pointed out" (Cointelegraph) the exploit may have originated via an outdated dependency package. These packages define the connections between various tasks performed within a program, including the sequence of those tasks and the libraries required.
The theories, however, do not end there:
By another version, it may be a "supply chain attack" (hackers tamper with the software source code on the server for ordinary users to download), considering the official website has just undergone a major version update.
And, of course, complaints against the wallet provider started flooding in.
Atomic is a noncustodial-decentralized wallet, placing the responsibility for assets stored in the application on the users themselves. As usual, its Terms of Service explicitly state Atomic Wallet does not accept liability for any on-chain damages experienced by users. And if that doesn't sound mocking enough, an excerpt from the terms clarifies that Atomic Wallet's maximum liability for damages arising from the use of their services is limited to $50.
(Source: https://atomicwallet.io/terms-of-service)
So, again, with all due respect and sympathy, maybe it's better to choose more appropriate security measures, guys, for your millions in crypto, than a hot wallet. Consider cold storage with multisig or so. After all, the security measures are better to match the portfolio size.
