The first signs of trouble are brewing as early as October. At the time, 3Commas was accused of leaking API keys that allowed bad actors to gain control of APIs sold to end users, with severe consequences.
3Commas, an automated trading platform, provides customers with an API that they can then connect to the exchanges to allow the bot to execute transactions in fractions of a second when it sees an opportunity to make a profit.
If the key used to connect the API to the platform is intercepted, it would allow a bad actor to hijack the end user’s cryptocurrency exchange account without the need for the trader’s password, email, etc.
- In October, nearly $6 million was stolen from FTX accounts via 3Comma’s API. FTX – which at the time claimed to be solvent – made the decision to compensate the users, despite the fact that this particular money had been stolen through no fault of FTX.
- But the SBF also confirmed that the refund was a one-time exception.
- Just over a month later, a similar incident occurred – this time on Binance.
- The exchange refused to refund the user, with CZ stating that there was no way to guarantee good faith on the part of the user.
- Moreover, even if the user is certain they are trading in good faith, this would not necessarily be a failure on the part of Binance, as the phishing could have occurred entirely outside the platform. Almost three weeks later, CZ returned to Twitter and gave advice. The user disabled all 3Comma API keys on Binance, as he had reason to believe the keys were hacked en masse.
- The tweet set off alarm bells throughout the community, and less than a day later, Yuri Sorokin – CEO and founder of 3Commas – admitted that the leaked keys did indeed come from 3Commas.
- But according to Sorokin, there is no evidence that this was an inside job.
“We did everything we could to investigate an inside job, as it was always a possible scenario and on our watch list, but no evidence of an inside job was found. Only a few technical staff had access to the infrastructure and we have taken steps since November 19th to revoke their access.”
- This is in stark contrast to statements made two weeks ago, in which Sorokin accused the victims of falsifying evidence and claimed that 3Commas is not at fault at all.
- The debacle has understandably rattled traders yet again, with many waiting for more light to shed light on the situation – hopefully some refunds.
Post 3Commas admits that the APIs have been leaked, contrary to previous statements that appeared first on CryptoPotato.