en
Back to the list

Trader Joe suffers breach, urges users to take action

source-logo  crypto.news 19 November 2023 09:17, UTC

Trader Joe has swiftly addressed a vulnerability in its analytics plugin, advising users to revoke access to a suspicious contract and restore safety.

The popular decentralized exchange (DEX) Trader Joe, on Nov. 17 announced a security breach in its frontend interface.

The breach, identified in a third-party analytics plugin, potentially put numerous users at risk, leading to immediate action by the platform’s team.

🚨 Important Security Alert

We have been alerted to a possible vulnerability in our frontend interface. Our team is conducting an immediate and thorough investigation.

We strongly advise all users to refrain from trading and from executing any transactions on the Trader Joe…

— Trader Joe (@TraderJoe_xyz) November 17, 2023

Breach detection and immediate response

According to the Trader Joe team, they discovered the vulnerability during a routine check, which revealed compromised JavaScript code in a third-party analytics tool.

🚨 Update

Our team's preliminary analysis identified a potential exploit in a 3rd party analytics plugin hacked JavaScript code used by our frontend.

We've taken immediate action on this finding and the code has been removed, and our host remains secure with no other… https://t.co/hJBRyOF5gW

— Trader Joe (@TraderJoe_xyz) November 18, 2023

The breach reportedly occurred at approximately 18:34 GMT, affecting all chains, including Avalanche (AVAX), Arbitrum (ARB), and Ethereum (ETH).

However, the team swiftly removed the malicious code and temporarily shut down the frontend to prevent further risks.

The incident led to some users’ transactions being rerouted to an unknown contract, specifically identified as “0xd8ea07f43bc5045ec49ab52a3da2d0bf533581bf”. It prompted an urgent advisory for users who had interacted with the DEX after the breach to revoke any access given to this contract.

You might also like: Fake DJ Marshmello presents sham coin at Web Summit as activists’ campaign

Steps for users to safeguard assets

In response to the breach, Trader Joe advised its users to check and revoke approvals of the malicious contract.

The DEX directed users to use various tools, including token approval checkers on SnowTrace, Arbiscan, and BSCScan, as well as the Rabby Wallet’s Approval Centre and revoke.cash.

🚨 Frontend Vulnerability Update

Some users are reporting that Swaps on the frontend are causing tokens to route to an unknown contract: 0xd8ea07f43bc5045ec49ab52a3da2d0bf533581bf

First report raised ~30 minutes ago but if you have used the frontend to trade in the last hours… pic.twitter.com/yayO4AYWHP

— Trader Joe (@TraderJoe_xyz) November 17, 2023

Users could also search for the affected contract address and revoke its access by entering their wallet addresses or connecting their wallets to the suggested services.

Moreover, the DEX emphasized the importance of confirming contract addresses during transactions, directing users to their developer documents for verified and safe contract addresses.

Additionally, the Trader Joe Discord channel was made available for guided support, although with an advisory on potential delays in response.

Current status and moving forward

Following thorough investigation and remediation measures, Trader Joe has restored its frontend, assuring users that it is safe for all activities, including trading, liquidity, staking, and lending.

🚨 Further Update: Frontend Restored 👍

Following investigation and removal of the vulnerable 3rd party analytics code, the frontend has now been restored and it is marked safe to use for all activities such as trading, liquidity, staking, lending and more.

There are no other… https://t.co/bjkeog756u pic.twitter.com/MzLiFdG9bH

— Trader Joe (@TraderJoe_xyz) November 18, 2023

The DEX reassured users that there are no other third-party integrations or solutions in use, aiming to prevent similar vulnerabilities in the future.

The breach is the latest incident to affect Trader Joe. In October, the DEX was slapped with a lawsuit by a similarly named grocery retailer alleging trademark infringement and brand dilution.

The lawsuit targeted the platform as well as its founder Cheng Chieh Liu for deliberately fashioning the DEX to evoke the popular Trader Joe’s brand, an American grocery chain with 560 stores across the United States.

Read more: Crypto losses soar to $173m in November, driven by Poloniex hack

crypto.news