Around July 19, 10am UTC-10, the Twitter accounts @ShellProtocol and @white_kenny_ were hacked. Hackers gained access to the accounts first by conducting a SIM swap. Thereby they were able to circumvent the 2FA and take control of the accounts.
The core smart contracts and Shell app are unaffected.
After gaining access to the @ShellProtocol twitter account, the attackers posted tweets to a fake website that mimicked the Shell Protocol app. Upon opening the malicious link, users were prompted to connect their Metamask. Anyone who connected their Metamask to the hacker’s website is at risk of having funds drained.
If you think you may be at risk, we advise going to https://revoke.cash/ to revoke any token approvals you made, checking multiple chains, not just Arbitrum One.
The attackers batched together unlimited token approvals when the user connected their Metamask. The drainer contract was a known malicious contract on Etherscan.
Hackers disabled replies to their tweets, making it difficult to warn unsuspecting users who viewed the malicious tweets.
At 10:24am UTC-10, the core team announced on Discord that Twitter was hacked.
At July 20, 3:56am UTC-10, the core team was able to make contact with someone at Twitter who promptly escalated the issue. Tweets were then deleted.
At present, the core team is still working with Twitter support to regain access to the accounts. The @ShellProtocol account still contains a link to the malicious website in its profile.
We will update the post mortem as soon as we regain control of the accounts and then discuss next steps. We are extremely regretful that this happened and that user funds have been compromised. We are already working to upgrade the security of any and all centralized infrastructure under direct control of the core team.
And to reiterate, the core smart contracts and the Shell app are unaffected by this attack.
Join the Shell community!