A cryptocurrency whale has fallen victim to a massive phishing attack, losing millions of dollars in staked Ethereum on the liquid staking provider Rocket Pool.
A large cryptocurrency investor lost the entire address balance of Lido Staked ETH (stETH) and Rocket Pool ETH (rETH) due to a phishing attack, the cryptocurrency security firm PeckShield reported.
The hack was completed in just two transactions, as one had 9,579 stETH stolen and the other involved 4,851 rETH. At the time of the attack, which occurred on Sept. 6, the stolen amounts were worth $15.5 million in stETH and $8.5 million in rETH, a staggering $24 million combined.
A significant portion of the DAI stash has already been transferred into the fully automatic cryptocurrency exchange FixedFloat, PeckShield reported.
According to data from the anti-scam source, Scam Sniffer, the victim enabled token approvals to the scammer by signing “Increase Allowance” transactions.
Allowance or access permissions are a feature of ERC-20 tokens which enable a third party to have the right to spend some tokens that belong to a different owner, using smart contracts. Some cryptocurrency observers have previously warned against risks associated with approving ERC-20 allowances, noting that anonymous developers could deploy malicious smart contracts to scam users.
The news comes soon after at least five Ethereum liquid staking providers imposed or started working to impose a self-limit rule in which they promise not to own more than 22% of the Ethereum staking market. The providers reportedly included Rocket Pool, StakeWise, Stader Labs and Diva Staking.