Spooky Frontend Exploit Update (Funds are Safe!)
Hello Spooky community, our team wanted to reach out and give more details on our progress in resolving the recent frontend exploit on the Spooky DeFi hub.
To summarize, a 3rd party javascript plugin enabled code injection from npm packages. This enabled replacing the spooky router contract on the Spooky Fi frontend with a malicious contract which sent funds that users attempted to swap to the exploiter. This was active for approximately 1 hour until we took notice and took the site down. During this time all contracts, LPs, Farms and funds remained safe. Thanks to our team, our community, and our collaboration with fellow developers we are working towards a permanent solution to prevent a similar exploit from happening in the future.
That being said, the Spooky frontend uses several Javascript plugins and will not go live until we’re absolutely confident the exploit is not possible from an alternative npm source. To do this the Spooky team is currently:
- Updating our npm packages
- Running an npm audit fix
- Testing to reproduce the code injection
- Verifying code injection from publicly indexed npm packages has been blocked
- Dedicating more resources to our upcoming Spooky v3 launch
Overall, the Spooky team is dedicated to growing our top-tier DeFi hub and appreciate the collaboration we’ve received from our community members and fellow DeFi developers. There is currently no risk to the Spooky contracts, and all Spooky contracts can still be accessed directly while we continue our investigation into the frontend vulnerability. Approximately $5000 was stolen from users during the exploit that the Spooky team will reimburse using our treasury funds. We appreciate our community’s patience while we continue to improve the platform to meet the needs of the constantly evolving decentralized finance space.
Stay Spooky!
Spooky: Website | Twitter | Discord | Telegram | GitHub | Reddit