The Hacker incident unexpectedly exposed EigenLayer's shame.

Author: Azuma, Odaily Planet Daily

At around 11 p.m. Beijing time last night, on-chain analysis agency Lookonchain detected an abnormal transaction, where Address (0xA7A1c66168cC0b5fC78721157F513c89697Df10D) received approximately 1.67 million EIGEN tokens from the team Address of Eigenlayer, and then directly dumped them at a price of $3.3, cashing out about $5.51 million.

After this transaction was exposed, there were frequent doubts within the community - EIGEN has just lifted the transfer restrictions for a few days, and the team has openly and directly dumped like this?

Around 5:30 this morning, EigenLayer responded to community questions with an official response.

There was an isolated incident this morning where a malicious attacker hijacked an email from an investor about transferring Token to a custodial Address, and the Hacker replaced the specific Address in the email, resulting in 1673645 EIGEN being mistakenly transferred to the attacker's Address. The attacker has sold these stolen EIGEN on a Decentralization trading platform and transferred the Stable Coin to a Centralized Exchange. We are in contact with these platforms and law enforcement. Some funds have been frozen.

This disruption did not affect the Eigenlayer system, and there are no known vulnerabilities in the protocol or Token contracts. This incident is unrelated to any on-chain functionality of EigenLayer.

We are still investigating this matter and will continue to disclose further information once available.

The attack itself is not complex. Well-known security expert and founder of SlowMist, X, has provided a detailed analysis on their personal X.

Regarding the attack itself, the attacker may have been planning for quite some time. The attacker's Address initially received 1 EIGEN, followed by 1673644 EIGEN approximately 26 hours later, all from a 3/5 multi-sig Address (0x87787389BB2Eb2EC8Fe4aA6a2e33D671d925A60f). Subsequently, various forms of money laundering began about an hour later. The gas came from ChangeNow, and the illegally obtained EIGEN was mainly exchanged for USDC/USDT, with the majority being laundered through platforms like HitBTC.

The reason why the attacker succeeded, according to official sources, is that the email was compromised. It is estimated that in the email content, the WalletAddress that was supposed to be sent to the expected recipient EIGEN was replaced with the attacker's Address, causing the project party to send EIGEN to the attacker's Address. Even if only 1 EIGEN was sent first, it is possible that after receiving 1 EIGEN, the attacker also sent 1 EIGEN to the expected recipient's Address, causing the recipient to think that the entire process was correct... Of course, this is just speculation, please refer to the official disclosure for specific information.

However, this 'ordinary' security incident has revealed another layer of more serious issues - why can EigenLayer's investors receive Tokens now? And why can the receiving Address (whether it is an investor or a Hacker) directly dump it without any restrictions after receiving EIGEN?

In the Token economic model disclosed by EigenLayer, the portion of early contributors and investors was explicitly emphasized to have a "Lock-up Position limit for 1 year".

After the transfer restrictions on the EIGEN contract are removed, the tokens of early contributors, investors, and Eigen Foundation service providers will be locked for one year. After one year, 4% of EIGEN for each of the above recipients will be unlocked, and an additional 4% will be unlocked each month thereafter.

It is hard to imagine that EigenLayer, a "king-level" project with a financing scale of over 100 million and a high TVL ranking on the entire network, which major top exchanges are vying to list, has not chosen to use the currently mature Token distribution protocol or deployed the Token unlocking contract on its own. Instead, it rather "mindlessly" transferred tokens to investor Addresses immediately after the token transfer restrictions were lifted.

From the dumping behavior of Hackers, these Addresses did not receive any hard operational restrictions after receiving the Token, in other words, EigenLayer seems to be relying on VCs to "morally Lock-up Position"...

What's even more outrageous is that EigenLayer apparently did not cross-confirm by phone or other means after receiving an email from the 'investor' (actually a Hacker) about changing the Address, but instead directly released the loan and transferred the funds, which led to the Hacker successfully stealing millions of dollars...

All in all, this whole incident can be said to be full of shortcomings. If EigenLayer had followed the normal Token unlocking specifications, if the EigenLayer team had the qualifications for operation, this Hacker incident would not have happened, and EigenLayer would not have been criticized by the community as a "grass-roots team".

From a technical perspective, EigenLayer's innovative "re-stake" narrative expands the boundaries of Node validation services, using AVS to extend Node validation services, which were originally only available for network Consensus maintenance, to Oracle Machine, sorters, cross-chain bridges, and many more specific scenarios. This has far-reaching utility significance for the ETH ecosystem and the entire Cryptocurrency market.

But technology is technology, and operations are operations. From the controversy of 'teams soliciting Airdrops from ecological projects' in the past to the current 'Hacker and unlocking' storm, these outrageous operations of EigenLayer are gradually undermining the confidence of the community. For any project, no matter how large its scale is, or how strong its endorsement is, this is an extremely dangerous signal.