Frequent phishing incidents, is EigenLayer the biggest target for hackers this year?

Written by: Luccy

With the narrative of restaking heating up, EigenLayer has become a hot topic in the community. On March 3, EigenLayer's TVL reached 2.931 million ETH, valued at approximately $10.053 billion. The exceptionally high TVL of EigenLayer has also attracted the attention of hackers. On March 5, @CyversAlerts tweeted that EigenLayer may have fallen victim to phishing.

Are EigenLayer Users Facing New Phishing Attacks?

On March 5, @CyversAlerts detected that an address starting with 0xae7ab received 4 stETH from EigenLayer, with a contract value of $14,199.57, suspected to be a phishing attack. At the same time, he pointed out that several victims have already signed "queueWithdrawal" phishing transactions on the mainnet.

In response, well-known on-chain detective ZachXBT expressed skepticism and commented in a tweet: "Stop spreading fake news because your team can't read the block explorer." However, there have indeed been EigenLayer users who have fallen victim to attacks, and SlowMist founder Yu Xian also stated that there are vulnerabilities in EigenLayer's contracts that hackers could exploit.

EigenLayer Refund Mechanism Becomes a New Target for Hackers

Recently, the notorious phishing organization Angel Drainer introduced a new attack mode targeting EigenLayer's "queueWithdrawal" mechanism.

Due to the nature of Ethereum staking, the approval of transactions differs from the conventional ERC20 "approve" method. Angel Drainer specifically targeted this aspect and wrote an exploit for the queueWithdrawal (0xf123991e) function of the EigenLayer Strategy Manager contract.

The core of the attack is that users signing the "queueWithdrawal" transaction are actually approving a malicious "withdrawer" to extract the staking rewards from the EigenLayer protocol to an address chosen by the attacker. In simple terms, once you confirm the transaction on a phishing webpage, your staking rewards in EigenLayer will belong to the attacker.

To make it more difficult to detect malicious attacks, the attackers use the "CREATE2" mechanism to approve these withdrawals to empty addresses. Since this is a new approval method, most security providers or internal security tools do not parse and verify this type of approval, so in most cases, it is marked as a benign transaction.

Currently, with official permission, calling slashQueuedWithdrawal within 15 days to cut existing queued withdrawals can recover lost assets.

In EigenLayer, there are two types of restaking: native ETH restaking and LST restaking. Initially, for the entire staking process, EigenLayer needs to create an EigenPod contract for Restaking fund management. When users withdraw, the funds will first be returned to the EigenPod contract.

For native Ethereum staking, in addition to creating the EigenPod contract, users also need to run a Beacon chain node service. Since ETH is stored in the Beacon chain, during the withdrawal process, it requires not only the user to initiate but also the node service provider to assist the user in withdrawing the relevant funds from the Beacon chain, meaning the exit process requires mutual consent.

However, for LST restaking, the funds are directly stored in EigenLayer's EigenPod contract. This means that users engaging in LST restaking may suffer losses due to risks associated with EigenLayer contracts. This is precisely the direction targeted by the phishing attack.

EigenLayer TVL Surpasses $10 Billion

EigenLayer raised $64.5 million in two rounds of financing, with leading investors including Blockchain Capital, Polychain Capital, and Ethereal Ventures, along with participation from Hack VC, Finality Capital Partner, Coinbase Ventures, and IOSG Venture.

Additionally, EigenLayer's TVL continues to increase. According to Defilamma data, as of the time of writing, the TVL has reached $10.4 billion.

It is this TVL exceeding $10 billion that has attracted phishing organizations. In the face of phishing risks and community concerns, SlowMist founder Yu Xian stated that whether opening phishing websites or even connecting to phishing sites, wallet private keys will not be stolen.

Risks accompany rewards; the strong financing background and $10 billion TVL not only provide opportunities for users but also for hackers. Currently, the security risks of restaking are becoming more widely understood, and participants in restaking projects should be cautious to avoid losses.