Thunder Terminal, an on-chain trading protocol active on Ethereum, Solana, Arbitrum, Base, and Avalanche, experienced a security breach early Wednesday. Jackson, the person behind Thunder, has confirmed that the FBI is now actively involved in the investigation of this incident.
The developer also said that the service is set to come back online today. The protocol has also promised enhanced security measures, with a ‘deep clean’ underway. Based on Jackson’s internal update, refunds for the affected users will also be issued soon.
What we know about the exploit
Based on an incident report by Thunder Terminal, it noticed unauthorized withdrawals from Thunder wallets around midnight. It explained that an attacker gained access to the URL that allowed them to take over users’ sessions and withdraw money as if they were the users themselves.
The breach is reported to have lasted for a few minutes before Thunder revoked all session tokens and transaction signing access at around 12:20 am on Wednesday. The company clarified that no private keys or wallets were compromised, and desktop wallets remained unaffected.
Thunder Terminal explained, “Less than 1% of wallets on our platform were affected as a result of this attack.”
The attack reportedly resulted in the loss of 86.5611512804 ETH and 439.12232317 SOL, estimated to be around $250,000 at market time. Thunder has committed to refunding all lost funds in full, offering affected users zero fees and $100,000 in credits each.
While the FBI has been reportedly notified, a full technical audit is also in progress. Thunder Terminal has plans to implement two-factor authentication (2FA) for withdrawals and enhance online security. The protocol identified the services used by the attacker and is said to be pursuing technical and legal action.
Thunder also confirmed that none of their team members’ accounts were phished, and the breach was not due to internal errors.
$2 billion lost in 2023
This case is just one of the security incidents that were reported in the crypto space this year. Based on a recent report by De.Fi, the decentralized finance sector incurred losses of around $1.95 billion in 2023. This comes as Ethereum became the most vulnerable chain to bad actors, losing around $1.35 billion through 170 breaches.