Around $20M at risk as Friend Tech’s security comes under scrutiny with users reporting SIM-swap attacks
SlowMist founder Cos said Friend.Tech's centralization risks information leakage.
The security of Friend.Tech users’ funds are in question due to a wave of reported compromised accounts and the subsequent loss of funds through SIM-swap attacks and hacks.
“The 34 of my own keys that I owned were sold, rugging anyone who held my key, all the other keys I owned were sold, and the rest of the ETH in my wallet was drained.”
Daren mentioned that due to a series of spam calls, he enabled the silent mode on his phone. Unfortunately, this caused him to overlook a critical notification from Verizon regarding suspicious activity on his account. He added:
“If your Twitter account is doxxed to your real name, your phone number can be found, and this could happen to you.”
Another victim, Dipper, explained that their FT account was compromised despite their use of a strong password. However, that could not stop the attacker, who siphoned all the keys and funds in the wallet to another. Dipper claimed to have lost 6.5 ETH to the incident.
Friend.Tech’s platform security questioned.
Following the attacks, SlowMist founder Cos said Friend.Tech’s centralization risks information leakage because the platform requires users to register with a mobile phone number, a Gmail email address, or an Apple account. He added:
“There is not even a two-factor authentication (2FA). Of course, perpetrators are keeping an eye on these bad attack methods.”
This view was also shared by crypto trading firm Manifold Trading, which stated that “any hacker [that] gains access to a FriendTech account via simswap/email hack, can rug the whole account.”
“FriendTech’s current setup also technically allows a rogue dev to reconstruct private keys via Shamir-Secret-Sharing shares that they can recover from user data in their database – so in reality, the whole TVL is at risk.”
These security concerns pose a significant threat to Friend.Tech users’ funds. Manifold’s assessment indicates that a minimum of $20 million in the platform users’ assets may be vulnerable to sim-swap attacks.