ZERION

DESCRIPTION OF EVENTS

"Zerion is the easiest way to build and manage your entire DeFi portfolio from one place. Discover the world of decentralized finance today."

"If you’re completely new to decentralized finance (DeFi), then you’re in the right place! Zerion is the simplest way to invest in DeFi from anywhere in the world."

"Zerion is non-custodial, which means we don’t have user accounts and never have access to your funds." "The Zerion interface lets you do just about everything with your DeFi assets — earn interest on passive funds by investing in liquidity pools or providing collateral to crypto loans, borrow crypto to leverage the market, or trade tokens at the best rates." "[D]ownload the Zerion Android or iOS app. You can now track your assets on the go, get the best DeFi rates and explore latest market trends using the Explore Tab."

"In February, an attacker deployed a contract designed to mimic a Balancer pool. This pool appeared on Zerion long enough for one user to interact with it and around $30K in funds were stolen. Fortunately, no one else was affected."

"This attack involved a smart contract designed to mimic a real Balancer pool, with a catch: the contract was built for one-way transactions, accepting deposits but not withdrawals. Several features enabled the pool to bypass detection by our backend. The pool held legitimate underlying tokens, the pool’s contract emitted the same event logs as other Balancer pools, and the contract reported a large token supply." "Consequently, our backend interpreted the fake contract as a real Balancer pool and the token appeared on our Invest page."

"This attack also exploited one of our user-facing security features. The DeFi blue tick is an icon that appears next to assets that appear in at least two Token Lists. While this feature says nothing about the quality of the projects those tokens represent, users can at least proceed knowing they’re not interacting with a duplicitous smart contract. This logic extends to derivative-type tokens on protocols like Uniswap, Balancer and Curve. If the underlying assets of a pool are verified in at least two Token Lists, we assume the pool itself is also legitimate."

"In this case, because the contract behaved exactly like any other Balancer pool and held legitimate underlying tokens, the asset was assigned a blue tick."

"This exploit was on Zerion’s backend security and not the Balancer protocol itself. We immediately resolved the issue with the user and added code to validate each pool against Balancer’s on-chain registry. We’ve also spent the past month doing a thorough security audit and have made key improvements to ensure this never happens again."

"This may be the first attack of its kind on a DeFi aggregator, so we felt it was necessary to break down exactly how this happened and open the dialogue with our community on how we can build a more secure product."

"As a first step, we disabled the automatic blue tick for all derivative tokens on Zerion — this includes pools, indexes, automated strategies, and collateral tokens."

"We want to emphasize that for conventional non-derivative tokens, the blue tick works as intended. We also want to remind users to always err on the side of caution when interacting with DeFi assets. Ultimately, due diligence rests in your hands. The blue tick will help to ensure you’re interacting with legitimate assets (and we can be sure of that with this recent round of improvements), but it is not an indicator of the quality of a token. In other words, the tick doesn’t guarantee that the asset is not a scam."

Zerion is not an exchange platform, but a non-custodial utility for investors to use to manage their portfolios.

At one point, a balancer clone was tricked into being listed on the platform, which caused one user to lose $30k into the fake contract.

There is no word on whether the user's funds were recovered.

blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Post mortem on Zerion’s asset phishing attack | by Evgeny Yurtaev | Zerion (Aug 11)
Web3 Crypto Wallet With NFT & DeFi Portfolio Tracker - Zerion (Aug 21)
How to Create a DeFi Portfolio (Sep 18)

More case studies

Ledger Pre-Initialized
Hardware Wallets

Paid Network
Hack