Risk Management & Awareness
January 17, 2024

Rocket Pool URL Misdirect Hack - Explanation and Mitigation

Rocket Pool's X account has been hacked. They are leading users to a fake website. At this website, users are directed to migrate funds, where they are given an exploit transaction. This exploit transaction transfers all the money from the user's wallet to the attacker. If you signed the exploit transaction while using DeFi Armor, you would be fully protected and not lose any funds.

Summary

As of right now, @Rocket_Pool is compromised on X (formerly Twitter) and has not recovered their account. The attackers made posts indicating the Rocket Pool protocol was hacked. They directed users to migrate funds out of Rocket Pool and into the “version 2” contracts.

They have continued reposting the tweets (presumably to make it appear more fresh in people’s feeds). You can see in the above image the tweet is 3 minutes old; that photo was taken hours after the hack began (photo taken at 14:56 EST).

Some additional photos from the twitter feed:

Importantly, the tweet contains a link to migrate your funds to a “safe” place. Underneath this link, Twitter says “From rocketpool.net”. This is a false indication of validity.

If you actually click the link, it takes you to https://rocketpool-migrating.net/. This is clearly not the correct Rocket Pool domain.

The website hosted at https://rocketpool-migrating.net/ is designed to look like the real Rocket Pool migration frontend.

Here’s a screenshot of the fake site:

When you click “Connect Wallet,” the fake Rocket Pool frontend immediately asks you to sign a transaction. This transaction attempts to transfer all of your ETH to the attacker’s wallet.

Here’s a screenshot of the requested transaction:

There are a few interesting things about this transaction:

  1. The destination address appears to be a vanity address designed to look like the null address. A naive user might assume this is ok if they’re used to seeing some kind of burn transaction.
  2. MetaMask has no problem with this transaction, there are no security features built-in to suggest this is invalid at all.
If you had clicked the confirm button when this came up, you would’ve lost all your ETH in this attack.

How does Eulith protect from this kind of attack?

DeFi Armor will not allow you to execute a transaction that does not pass the security engine; it will refuse to cosign the transaction. This is a trivial example of the kinds of attacks that the security engine prevents. DeFi Armor detects the interaction with an unknown address and declined to sign before even asking you for a signature.

Stay safe.

Kristian Gaylord

Kristian Gaylord

Kristian was previously a C++ developer at the intersection of edge computing AI and the space industry. He holds a BSc in Statistics from Columbia (2021).

Latest articles

Browse all posts
Crypto address poisoning: How to protect your funds from getting stolen
Risk Management & Awareness
May 21, 2024

Crypto address poisoning: How to protect your funds from getting stolen

Read more
EtherFi and Eulith partner to offer institutional asset managers non-custodial ETH staking
Partnerships
Apr 29, 2024

EtherFi and Eulith partner to offer institutional asset managers non-custodial ETH staking

Read more
Eulith partners with Chainbound to enhance full-stack trade execution for professional fund managers
Partnerships
May 6, 2024

Eulith partners with Chainbound to enhance full-stack trade execution for professional fund managers

Read more