Security problems for the social crypto platform Friend.Tech: $20 million of users’ money at risk



On 5 October, some users of the social-fi crypto platform Friend Tech reported on X that they were victims of a 234 ETH hack due to a theft of their private keys.

The heist was pulled off by a single individual who by cloning the SIM cards of the unfortunate users of the decentralized application, managed to extract the access keys to their crypto wallets on Base and managed to take away a total of $385,000.

The story may not end there as more wallets were compromised earlier this week.

The Friend.Tech team is trying to respond with a security update given growing user fears about a possible exploit of the crypto platform’s entire TVL.

Let’s take a look at all the details together.

Crypto: Friend.Tech suffers 234 ETH hack and risks losing credibility after frequent SIM cloning cases

Friend.Tech is a decentralized crypto application developed on Coinbase’s layer-2, where users can tokenize and trade various shares representative of their accounts on X.

The platform has attracted a lot of attention from the crypto community given the extraordinary success it has achieved in its first few weeks of operation, even getting the nickname “Only Fans of the web3” given some similarities in the business model.

These days, however, Friend.Tech is making headlines because of some security issues that have emerged, which could completely ruin the project’s excellent market debut

Yesterday, in fact, several users of the social-fi crypto platform Friend.Tech reported to the X (formerly Twitter) community that their Base wallets had been compromised for a total theft of 234 ETH, or about $385,000.

In this unsavory affair, the type of attack implemented by the hacker is SIM-swapping: this is a scam where SIMs are cloned by illicitly obtaining the victim’s phone number and exploiting it to gain access to social accounts by effectively circumventing security measures for access.

This is not the first time that such attacks have been carried out on Friend.Tech since even earlier this week abnormal transactions were reported on some users’ wallets for 109 ETH damage.

Apparently, the malicious individual carried out SIM-swapping via the Apple Store and managed to transfer the victims’ data to an Iphone SE.

For Friend.Tech to solve this headache is critical since $50 million belonging to more than 28,000 users is at risk.

Since September, the platform has seen an incredible increase in the number of transactions and inflow within the protocol.

According to Dune Analytics, total fees generated on the protocol reached 11,764 ETH (worth over $19 million), thanks to a total of 9,870,682 transactions.

A new record was reached on 14 September with 616 ETH in fees.

Should new hacks and attacks on users happen, the growing distrust of the community will most likely lead to a decline in overall activity with the risk of not being able to get back up again.

Social-fi platform’s responses against highlighted security problems

Friend.Tech’s recent security problems that led to the loss of nearly $500,000 to users of the social-fi crypto platform could be just the beginning of a series of unfortunate events.

According to Manifold Trading, a company that develops software solutions for the industry, at this time, $20 million of the $50 million in total assets locked up on the platform are at risk. 

These are the words of the company:

“If for the sake of argument 1/3 of FriendTech accounts have linked a phone number, there is $20 million at risk of theft by sim cloning.”

Manifold Trading itself highlighted that Friend.Tech’s current structure could allow a rogue developer to recompose the private keys of all users on the platform via Shamir-Secret-Sharing.

This could make the entire supply of TVLs on the project susceptible to cyber attacks.

To address this risk, the software development company recommended implementing two-factor authentication (2FA) as a mitigation system.

Indeed, 2FA is employed in a multitude of digital services, especially those such as cryptocurrency exchanges, and is one of the best protections against authentication breaches.

Friend.Tech’s response was not long in coming as within hours of the incident it proceeded to launch a new feature against compromise of its users’ wallets.

This is a mechanism to eliminate specific access options, particularly phone numbers, drastically reducing the likelihood of a SIM-swapping attack, which is what the hacker used this week.

Unfortunately, however, the problems do not seem to have ended there: many users have complained about X as they are unable to access their Friend.Tech accounts.

One user in particular revealed that following the update, although he removed the phone number by replacing the authentication method, he was no longer able to log into his profile.

Having also left sessions open on other devices, he believes hackers could still compromise his account and empty his cryptographic wallet