SlowMist: In-depth analysis of the $13 million hack of Venus large holders

Author: Kong&Thinking Editor: Liz

Original link: https://mp.weixin.qq.com/s/s5zjp2I47_hWoegdNThIVQ

Statement: This article is a reprint. Readers can obtain more information through the original link. If the author has any objections to the reprint form, please contact us, and we will make modifications according to the author's requirements. Reprinting is for information sharing only and does not constitute any investment advice, nor does it represent Wu's viewpoints and positions.

Background

On September 2, 2025, community user @KuanSun1990 was attacked, and multiple positions on the Venus protocol were transferred, resulting in a loss of approximately 13 million dollars. The Web3 threat intelligence and dynamic security monitoring tool MistEye, independently developed by SlowMist, successfully captured this anomaly and assisted the user in analysis. The following are specific analysis details.

(https://x.com/SlowMist_Team/status/1962854755585429877)

Root Cause

The victim user mistakenly entered a fake Zoom online meeting link created by the attacker and, guided by the fake website, ran malicious code on their computer, resulting in device control. Due to the deletion of related records, the analysis work faces significant challenges. According to the victim's recollection, they were using a well-known official extension wallet at the time and suspected the attacker had tampered with the extension wallet code on their computer. As a result, the asset redemption operation for Venus initiated by the user through their hardware wallet was altered to a Venus position delegation operation, ultimately leading to the takeover of their position on Venus by the attacker.

Detailed Analysis

The attacker used social engineering techniques, posing as a business collaboration, to lure the target user into participating in a Zoom online meeting and sent the meeting link via Telegram (since the related chat records have been deleted, the entire process cannot be fully restored). The victim clicked the link and joined the meeting.

At that time, the victim hurriedly entered the meeting due to a schedule conflict with another meeting and did not carefully check whether the browser domain was the official Zoom domain. Meanwhile, the attacker, disguised as a business negotiator, continuously urged the victim in the meeting, preventing them from discerning whether the upgrade prompts on the website were malicious due to the urgent circumstances.

In the end, the victim's computer was under the attacker's control. For specific methods of computer compromise, please refer to the complete exercise challenges provided in the Web3 phishing drill platform Unphishable (https://unphishable.io/) #NO.0x0036.

After gaining control of the victim's computer, the attacker modified the wallet code in the browser extension on the victim's computer in some way, enabling them to hijack and replace the original transaction data of the victim. Due to the lack of a complete 'what you see is what you sign' verification mechanism in the hardware wallet used by the victim, the victim ultimately signed the tampered transaction.

So how did the attacker modify the browser extension wallet code?

We know that Chrome has a security mechanism; if an extension is downloaded from the Chrome store, as long as the code is modified, the browser will prompt that the extension is corrupted and unusable; moreover, this integrity check cannot be disabled.

Therefore, we initially suspected that the attacker might not have modified the code of a well-known official browser extension wallet but rather used another attack method. Since many traces of the attack on the victim's computer had been cleared, the truth is challenging to fully restore. However, through in-depth research and communication with partners in the threat intelligence network, we confirmed that the browser extension ID used by the attacker to tamper with the transaction was consistent with the official extension ID.

Thus, we began to study how to ensure that the browser extension ID remains consistent with the official one while allowing code modifications:

By enabling developer mode on the browser extension page, a copy of the official original extension file can be additionally created and imported into the browser, resulting in a new extension that allows code modification while maintaining the same extension ID as the official one. This is because Chrome generates the extension ID based on the key in the manifest.json file. As long as the key in the manifest.json file of the extension matches the official one (having the same key is crucial for the extension to have the same ID), code modifications can be made in this new extension (with the same ID as the official one) without triggering the integrity check.

By patching Chrome's function that verifies the content of browser extensions, we can globally disable the content integrity check for extensions. Of course, on macOS, this part of the operation requires re-signing to ensure the program is usable.

The above are two possible attack methods we researched. Currently, there is no more explicit information to corroborate this, so the aforementioned methods only represent the internal research and speculation of the SlowMist security team and do not imply that the attacker actually used these techniques.

Before the attack officially began, the attacker raised about 21.18 BTCB and 205,000 XRP with their own funds on September 1 to prepare for taking over the victim user's position on Venus.

After about 10 hours of waiting, the attacker finally got the opportunity to operate the victim user's wallet. At this time, the victim user connected their hardware wallet to the extension wallet installed on their Chrome browser and accessed the correct Venus official website.

Then, the victim user prepared to redeem their USDT tokens on Venus. At this time, the victim user called the correct redeemUnderlying function. However, since the extension wallet had been tampered with, the operation sent to the hardware wallet for signing was replaced with an updateDelegate operation. The victim's hardware wallet does not support detailed signature data parsing and has blind signing enabled, which led the victim user to sign the updateDelegate operation without any defenses and submit the transaction through the extension wallet. Ultimately, their position on Venus was delegated to the attacker for management.

(https://bscscan.com/tx/0x75eee705a234bf047050140197aeb9616418435688cfed4d072be75fcb9be0e2)

After the victim user completed the delegation, the attacker immediately initiated the attack, borrowing about 285 BTCB through Lista flash loans and utilizing their own 21.18 BTCB and 205,000 XRP. Subsequently, the attacker repaid the victim user's loan of approximately 306.89 BTCB and 152,673.96 XRP on Venus.

After completing the repayment for the victim user, the attacker immediately redeemed the victim user's collateral (USDT/USDC/WBETH/FDUSD/ETH) on Venus to an address under their control.

At this point, the attacker had completed the transfer of the victim user's position on Venus and only needed to repay the approximately 285 BTCB borrowed from the Lista flash loan to realize a profit. Since converting the collateral (USDT/USDC/WBETH/FDUSD/ETH) held by the attacker directly into BTCB on DEX was not cost-effective and could cause significant slippage, the attacker chose to re-deposit these collaterals into Venus and borrow BTCB to repay the flash loan.

After completing the flash loan repayment, the attacker successfully took over the victim user's position on Venus, which was a cleverly executed phishing attack case. However, while the attacker held the Venus position without taking further action, the Venus team responded quickly, immediately pausing the protocol and later pausing all EXIT_MARKET operations across all markets.

(https://bscscan.com/tx/0xe4a66f370ef2bc098d5f6bf2a532179eea400e00e4be8ea5654fa9e8aeee65bf#eventlog)

This measure blocked the attacker from further operating their position to obtain profits. Subsequently, the Venus team initiated an emergency proposal vote to ensure the safe recovery of the protocol while striving to recover the stolen funds from users.

(https://snapshot.box/#/s:venus-xvs.eth/proposal/0x140da3dcb6dc711429700443d3b9f1def51eaae3b791f8b774664676f418a132)

Eventually, the Venus team recovered the stolen funds for the victim user by forcibly liquidating the attacker's position.

(https://bscscan.com/tx/0xee9928b8d1a212f4d7b7e9dca97598394005a7b8fef56856e52351bc7921be43)

Additionally, according to the on-chain anti-money laundering tracking tool MistTrack, addresses related to the attacker had previously withdrawn from ChangeNOW:

Other related addresses had interactions with multiple exchange platforms (such as 1inch), cross-chain platforms (such as Across Protocol), and sanctioned exchanges (such as eXch):

Summary

This incident was a meticulously planned phishing attack. The attacker controlled the user's device through a malicious Zoom client and cleverly replaced the user's asset redemption operation with a position delegation operation by tampering with the wallet extension using Chrome's developer mode features, demonstrating extremely precise techniques. Fortunately, the Venus team showed excellent emergency response capabilities, and through multi-party collaboration and rapid response, ultimately helped the user avert danger and avoid potentially significant losses.