Crypto security firms more concerned with social media clout than the details

With memecoins regularly outperforming more established crypto projects, there’s plenty of evidence to back up the assertion that the cryptosphere often rewards attention over innovation.

From crypto influencers dumping on their followers to SocialFi projects such as FriendTech, social media following can act as a proxy for value, especially for projects without their own token.

Even crypto security auditors, supposedly behind-the-scenes players, are keen to try their hand at the social media game. Sometimes, at the expense of their credibility.

Peckshield’s classic “you may want to take a look” has caused many a heart to sink over the years, typically accompanied by a transaction hash in which hackers have extracted millions of dollars of crypto-assets.

Hi @MIM_Spell, you may want to take a look (w/ $6.49M Loss) pic.twitter.com/uHs0JweuoM

— PeckShield Inc. (@peckshield) January 30, 2024

Read more: Magic Internet Money loses its sparkle as DeFi platform hacked for $6.5M

However, while hacks may be bad for decentralized finance (DeFi) applications — not to mention their users — being the first to report them is great for engagement.

Relative newcomer Cyvers was the first to identify the attack on crypto casino Stake by the North Korean Lazarus Group in September last year. However, since then, seemingly chasing the same high, it’s been prone to jumping the gun. Yesterday, an ‘ALERT’ suggested that Eigenlayer had fallen victim to a phishing scam.

🚨ALERT🚨Hey @eigenlayer, it seems you may have become a phishing victim.

Check out this link 👇https://t.co/zeXMFZdEgx#CyversAlert pic.twitter.com/VvMizA7wtD

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) March 5, 2024

Unfortunately, the ‘fake news’ was quickly shot down by ZachXBT who added “your team cannot read a block explorer” and linked to an explanation of a common phishing attack in which users are tricked into authorizing the withdrawal of assets from Eigenlayer to a scammer’s address.

In November last year, Cyvers sounded the alarm on ‘multiple suspicious transactions’ worth $12.5 million from Iranian crypto exchange Nobitex. This, however, also turned out to be overblown, amounting to nothing more than a rotation of the exchange’s hot wallets.

Cyvers isn’t the only culprit when it comes to posting engagement bait before corroborating the underlying issue, however. Tagging DeFi giants Lido and Curve Finance is a surefire way to get plenty of eyeballs on the alert.

A story in three acts, and they're still wrong pic.twitter.com/qp0MF0MZOh

— Igor Igamberdiev (@FrankResearcher) February 1, 2024

Read more: Curve hacker not in the clear despite returning $50M of stolen funds

Even well-respected firm BlockSec has faced criticism, notably in the fallout from the $70M Curve Finance hack in July of last year. 

By publicly disclosing sensitive details of a vulnerability being actively exploited, many were concerned that the information could give the hacker, or copycats, an edge over teams aiming to mitigate the problem.

Since then, some firms have tended to be more measured in their announcements, sharing partial screenshots instead of transaction links and making clear clarifications of any misinformation shared in haste.

Such was the case yesterday when BlockSec retracted its alert after the affected project hit back that the issue had occurred a week before and was already resolved.

@BlockSecTeam

Stop trying to get more followers on other's back by tweeting this kind of nonsense!

We are fine, there's no hack, all funds are safe.

There was a bug we found in the zap gateway A WEEK AGO which was immediately fixed. One user lost 2.8 ETH and we compensated… https://t.co/D736HHOOZC

— f(x) Protocol (@protocol_fx) March 5, 2024

Interconnected projects make identification tricky

The composability of DeFi products means that a quick glance at Etherscan isn’t enough to fully understand the target of an attack.

If even crypto security firms are prone to making errors, it seems a tall order to expect DeFi users to have the required crypto-literacy to distinguish a genuine threat from a security firm crying wolf.

When large projects like Eigenlayer, Lido, and Curve (Ethereum’s first, second, and eleventh largest protocols) are tagged in such ‘alerts,’ panic can spread rapidly, and scammers know how to take advantage of that panic.

Certik, whose audits are often seen as a red flag rather than a seal of approval, recently had its own X (formerly Twitter) account hacked via a common vector involving a fake Calendly link. 

It looks like @CertiK's X account has been compromised and is sharing a link to a fake Revoke website. Uniswap is NOT compromised. pic.twitter.com/G5xw7PQR6n

— Revoke.cash (@RevokeCash) January 5, 2024

Read more: Seneca Protocol hack highlights dangers of Ethereum’s token approval mechanism

The account was used to announce a (fictional) vulnerability in Uniswap, directing users to a fake Revoke.Cash site where they could revoke token approvals to remain safe.

Certik-audited WOOFi was hacked for $8.5 million on Arbitrum yesterday via a price manipulation attack.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.