A hacking incident unexpectedly exposed EigenLayer's cover

Author: Azuma, Odaily Planet Daily

Around 11 PM Beijing time last night, on-chain analysis firm Lookonchain detected an unusual transaction, a certain address (0xA7A1c66168cC0b5fC78721157F513c89697Df10D) received approximately 1.67 million EIGEN from Eigenlayer's team address and then directly sold it off at a price of $3.3, cashing out about $5.51 million.

After this transaction was exposed, doubts arose within the community ------ EIGEN had just lifted the transfer restrictions a few days ago, and the team blatantly dumped the tokens like this?

Around 5:30 AM this morning, EigenLayer provided an official response to the community's concerns.

This morning, an isolated incident occurred, a certain investor's email regarding transferring tokens to a custody address was hijacked by malicious attackers, who replaced the specific address in the email, resulting in 1,673,645 EIGEN being incorrectly transferred to the attacker's address. The attacker has sold these stolen EIGEN through decentralized trading platforms and transferred the stablecoins to centralized exchanges. We are in contact with these platforms and law enforcement. Some of the funds have already been frozen.

This breach did not affect the Eigenlayer system, and there are no known vulnerabilities in the protocol or token contracts; this incident is unrelated to any on-chain functionality of EigenLayer.

We are still investigating this situation, and we will continue to disclose further information as it becomes available.

This attack incident itself is not complicated. Well-known security expert and SlowMist founder Yuxian provided a detailed analysis on his personal X.

Regarding this attack incident, the attacker has likely been planning for quite some time. The attacker's address first received 1 EIGEN, and about 26 hours later received 1,674,644 EIGEN, all from a 3/5 multi-signature address (0x87787389BB2Eb2EC8Fe4aA6a2e33D671d925A60f). Then, more than an hour later, various laundering activities began. Gas fees came from ChangeNow, and the illegally obtained EIGEN was mainly exchanged for USDC/USDT, primarily laundered through platforms like HitBTC.

According to the official statement, the reason the attacker succeeded was due to "the email being hacked." It is estimated that in the email content, the expected receiving wallet address for EIGEN was replaced with the attacker's address, leading the project team to send EIGEN to the attacker's address. Even if they initially sent 1 EIGEN, perhaps after receiving 1 EIGEN, the attacker also sent 1 EIGEN to the expected receiving address, causing the expected recipient to believe the entire process was correct… Of course, this is just speculation, and specifics should be based on official disclosures.

However, behind this "ordinary" security incident lies a more serious issue ------ why can EigenLayer's investors receive tokens now? And why can the receiving addresses (whether investors or hackers) sell EIGEN directly without any restrictions after receiving them?

In the token economic model previously disclosed by EigenLayer, the portion regarding early contributors and investors clearly emphasized the existence of a "one-year lock-up restriction."

After the transfer restrictions of the EIGEN contract are removed, the tokens of early contributors, investors, and service providers of the Eigen Foundation will be locked for one year. After one year, 4% of the EIGEN for each recipient will be unlocked, and an additional 4% will be unlocked each month thereafter.

As a "top-tier" project with over a hundred million in funding and a high TVL that major exchanges are eager to list… it is hard to imagine that EigenLayer neither chose to use a relatively mature token distribution protocol nor deployed a token unlocking contract on its own, but rather "thoughtlessly" sent tokens to investor addresses immediately after the transfer restrictions were lifted…

From the hacker's selling behavior, these addresses also faced no hard operational restrictions after receiving the tokens, in other words, EigenLayer seems to be relying on VCs to "morally lock up" their tokens…

Even more absurdly, it seems that EigenLayer did not cross-verify via phone or other means after receiving the "investor" (actually the hacker) email about changing the address, but directly released the tokens, which led to the hacker successfully stealing millions of dollars…

In summary, this entire incident is full of points of contention. If EigenLayer had followed normal token unlocking protocols, and if the EigenLayer team had possessed adequate operational quality, this hacking incident would not have occurred, and EigenLayer would not have been criticized by the community as a "shoddy operation."

From a technical perspective, EigenLayer's innovative "re-staking" narrative expands the boundaries of node validation services, utilizing AVS to extend node validation services, originally used only for network consensus maintenance, to more segmented scenarios such as oracles, sequencers, and cross-chain bridges. This has long-term utility significance for the Ethereum ecosystem and the entire cryptocurrency market.

But technology is technology, and operations are operations. From past controversies over "team requesting airdrops from ecosystem projects" to the current "hacker and unlocking" storm, EigenLayer's outrageous operations are gradually undermining community confidence. For any project, no matter how large its scale or how strong its backing, this is an extremely dangerous signal.