M2 Exchange Hack: A Multi-Chain Heist Revealed

On October 31, 2024, M2 Exchange, reported an exploit that drained approximately $13.7 million from its hot wallets across multiple chains, including Ethereum (ETH), Bitcoin (BTC), and Solana (SOL). The exchange's swift response claimed detection and recovery of the funds within 16 minutes, yet this remarkably rapid recovery and lack of technical transparency raised significant skepticism in the crypto community.

M2 is a cryptocurrency exchange and custodian based in Abu Dhabi, United Arab Emirates (UAE) that offers trading and custodial services for virtual assets. M2 Earn provides a platform for users to generate best-in-class returns on their crypto assets. It offers flexible and fixed-term investment plans, featuring user-friendly interfaces, diverse investment periods, and flexible redemption options to accommodate a wide range of financial objectives.

ETH: 0x968b6984cba14444f23ee51be90652408155e142 

BTC: bc1qu4kh7wa38xpkrp8frgxl4sak88wx0jug8n3vfj 

SOL: EKko14NvgqdvNttUb8JjXkVGuUs6BTikjfN3hqW4LQoL

1. The attack reportedly stemmed from an access control vulnerability in M2’s system, which allowed unauthorised access to their hot wallets.
    
2. This vulnerability was exploited to initiate unauthorised transactions across multiple chains.
    
3. The attacker’s first transaction involved transferring assets from M2’s hot wallet address 0xE26abc37b06B819243B4B104270Cc18f7C835FcE to an externally owned account (EOA) at 0xb5f798096bd4D969466E2284Bda01F7A51049d3A
   
   
    
4. From this EOA, the funds were moved to another EOA 0x968b6984cba14444f23ee51be90652408155e142 for further distribution and obfuscation.
    
5. The attacker swiftly swapped the drained assets on Ethereum, converting $SHIBA and $USDT into ETH, consolidating funds for ease of transfer and likely to complicate traceability.
   
   
    
6. The attacker distributed and held the stolen assets in separate wallets. As of November 4, 2024, the bulk of stolen funds remained in the attacker’s designated addresses, with the largest portion of assets (~$10 million in ETH) sitting unmixed and untouched.

The root cause of the attack on M2 Exchange was an access control vulnerability in their hot wallet infrastructure. This flaw allowed the attacker to bypass standard authorization checks, enabling unauthorized access to the hot wallets holding customer funds on Ethereum, Bitcoin, and Solana chains.

The attacker initially accessed M2’s Ethereum hot wallet (0xE26abc37b06B819243B4B104270Cc18f7C835FcE), moving funds to an intermediate wallet (0xb5f798096bd4D969466E2284Bda01F7A51049d3A) to obscure the transfer path. 

From there, assets were consolidated into a primary wallet (0x968b6984cba14444f23ee51be90652408155e142), where they were either swapped to ETH or held as is

Here is what M2 responded to the exploit in their official website: 

”We would like to report that the situation has been fully resolved and customer funds have been restored.”

1. Ensuring robust, multi-factor authentication and strict permissions for accessing hot wallets would have mitigated the risk of unauthorised access.
    
2. Establishing daily withdrawal limits and rate-limiting transaction outflows, particularly across multiple blockchains, would have slowed the attacker’s fund extraction, giving the security team more time to respond.

Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.