Author: Azuma, Odaily Planet Daily
At around 11 o'clock last night Beijing time, the on-chain analysis agency Lookonchain detected an abnormal transaction. A certain address (0xA7A1c66168cC0b5fC78721157F513c89697Df10D) received about 1.67 million EIGEN from the Eigenlayer team address, and then directly sold them all at a price of US$3.3, cashing out about US$5.51 million.
After the transaction was exposed, doubts arose in the community - EIGEN had just lifted the transfer restrictions for a few days, and the team was so blatant that it directly smashed the market?
Around 5:30 this morning, EigenLayer gave an official response to the community's doubts.
This morning, an isolated incident occurred where an investor's email regarding the transfer of tokens to an escrow address was hijacked by a malicious attacker, who replaced the specific address in the email, resulting in 1,673,645 EIGEN being mistakenly transferred to the attacker's address. The attacker has sold the stolen EIGEN through decentralized exchanges and transferred the stablecoins to centralized exchanges. We are in contact with these platforms and law enforcement. Some funds have been frozen.
This breach did not affect the Eigenlayer system, there are no known vulnerabilities in the protocol or token contracts, and this incident is not related to any on-chain functionality of EigenLayer.
We are still investigating this situation and will continue to disclose further information as it becomes available.
The attack itself is not complicated. Yu Xian, a well-known security expert and founder of SlowMist, gave a very detailed analysis on his personal account X.
Regarding the attack itself, the attacker may have planned it for a long time. The attacker's address first received 1 EIGEN, and after about 26 hours, it received 1673644 EIGEN, all from the 3/5 multi-signature address (0x87787389BB2Eb2EC8Fe4aA6a2e33D671d925A60f). Then, more than an hour later, various coin washing began. Gas came from ChangeNow, and the illegally obtained EIGEN was mainly exchanged for USDC/USDT, and was mainly washed through platforms such as HitBTC.
According to the official statement, the reason why the attacker succeeded was "the email was hacked." It is estimated that in the content of the email, the wallet address that was supposed to receive EIGEN was replaced with the attacker's address, causing the project party to send EIGEN to the attacker's address. Even if 1 EIGEN was sent first, the attacker might have sent 1 EIGEN to the expected receiving address after receiving 1 EIGEN, causing the expected recipient to think that the entire process was correct... Of course, this is just speculation, and the official disclosure shall prevail.
However, behind this "ordinary" security incident, another more serious problem was exposed - Why can EigenLayer investors receive tokens now? And why can the receiving address (whether it is an investor or a hacker) sell directly without restrictions after receiving EIGEN?
In the token economic model previously disclosed by EigenLayer, the part about the shares of early contributors and investors clearly emphasized the existence of a "one-year lock-up limit" in black and white.
Once the transfer restrictions on the EIGEN contract are removed, the tokens of early contributors, investors, and Eigen Foundation service providers will be locked for one year. After one year, 4% of the EIGEN of each of the above recipients will be unlocked, and an additional 4% will be unlocked each month thereafter.
As a "king-level" project with a financing scale of over 100 million, TVL ranking at the top of the entire network, and all major exchanges competing to launch it... It is hard to imagine that EigenLayer neither chose to use the current mature token allocation protocol nor deployed the token unlocking contract by itself, but rather "brainlessly" sent tokens to the investor's address immediately after the transfer restriction of the token was lifted...
From the hacker's selling behavior, these addresses were not subject to any rigid operation restrictions after receiving the tokens. In other words, EigenLayer seems to be counting on VC They went to "morally lock positions"... What's even more outrageous is that after EigenLayer received an email from an "investor" (actually a hacker) about changing the address, it did not cross-confirm by phone or other means, but directly released the money and coins, which led to the hacker's successful theft of millions of dollars... In short, this whole incident is full of slots. If EigenLayer had followed the normal token unlocking specifications, and if the EigenLayer team had qualified operational qualities, this hacking incident would not have happened, and EigenLayer would not have been criticized by the community as a "grassroots team." From a technical perspective, EigenLayer's innovative "re-staking" narrative expands the boundaries of node verification services, using AVS to expand node verification services that were originally only used for network consensus maintenance to more segmented scenarios such as oracles, sequencers, and cross-chain bridges. This has long-term utility significance for the Ethereum ecosystem and even the entire cryptocurrency market.
But technology is technology, and operations are operations. From the past controversy of "the team asking for airdrops from ecological projects" to the current "hacker and unlocking" storm, these outrageous operations of EigenLayer are gradually overdrawing the confidence of the community. For any project, no matter how large its scale is or how strong its endorsement is, this is an extremely dangerous signal.