MM Finance Frontend Router Hijack
MM Finance users on Cronos lost $2M after the attacker exploited an unclaimed config to swap the DEX frontend's router address, redirecting swap approvals.
- Date
- Victim
- MM Finance
- Chain(s)
- Status
- Funds Stolen
On May 4, 2022, the Cronos DEX MM Finance lost approximately $2 million from its users when an attacker manipulated the router contract address used by the MM Finance frontend. Users who swapped through the site approved token spending to an attacker-controlled "router" that drained the approved funds.
What happened
MM Finance's frontend resolved its swap router address from a configuration source the attacker was able to influence (an unclaimed/poorly-secured config endpoint). By substituting a malicious router address, the attacker caused the legitimate MM Finance website to present users with approval transactions pointing at the attacker's contract. Users who approved — believing they were interacting with the real router — had their tokens transferred out.
Aftermath
- MM Finance regained control of the configuration and warned users to revoke approvals.
- No protocol-contract bug existed; the smart contracts were untouched.
Why it matters
MM Finance is a smaller sibling of the Curve DNS hijack and BadgerDAO — the recurring lesson that the configuration and infrastructure feeding a DEX frontend is part of the trust boundary. A correct contract served behind a compromised config is, from the user's perspective, a complete compromise. The defence — signed/immutable frontend config, hardware-wallet calldata verification independent of the UI — is the same at every scale of this attack class.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-mm-finance-hack-may-2022
- [02]coindesk.comhttps://www.coindesk.com/tech/2022/05/05/decentralized-exchange-mmfinance-suffers-2m-exploit
- [03]rekt.newshttps://rekt.news/madmeerkat-finance-rekt