In March 2024, Arbitrum-based Mozaic Finance was the victim of a private key theft. The attacker stole an estimated $2.4 million in cryptocurrency from the project by exploiting their access to a security module within the project’s smart contracts.
Inside the Attack
The Mozaic Finance hack was another example of a DeFi theft carried out by a project’s developer, similar to the 2023 hack of Milady. In this case, a malicious insider stole the personal data of one of the project’s core team members, which included the private keys used to manage the project’s smart contracts.
The Mozaic attacker gained access to a security module designed to act as a fail-safe protection for the project’s vaults. While Mozaic was in the process of transitioning from this to solutions developed by Hypernative Labs, the older security module was still active and had access to the project’s vaults.
With the stolen private key, the attacker could call functions that were only accessible from a developer account. As a result, they were able to transfer stablecoins worth over $2 million out of the Mozaic vault.
These tokens were eventually moved to two exchanges, MEXC and Binance. With over 90% of the cryptocurrency moved to the centralized MEXC exchange, the project was able to freeze the tokens and was confident that they would eventually be recovered.
Lessons Learned from the Attack
The Mozaic Finance hack was made possible by a few security issues. One was that a developer managed to gain access to data owned by a core team member that contained sensitive information. This points to significant issues with data security and access management.
The other primary issue was centralized control over the project’s smart contracts. A single core team member had control over private keys that could unilaterally drain value from the project’s vaults. This scenario is problematic both due to the potential for theft — as demonstrated by this incident — and the potential for a core team member to abuse that centralized power.
While the Mozaic hack didn’t involve smart contract vulnerabilities that could have been found and fixed during a smart contract audit, it did underscore the importance of a robust security program within DeFi projects. Implementing security best practices — such as the use of multi-signature wallets for critical accounts — could have prevented this attack.