Vercel disclosed a security breach that may have exposed customer API keys, prompting urgent credential rotations among crypto projects. The breach stems from a compromised Google Workspace connection linked to the third-party AI tool Context.ai. Vercel clarified that sensitive environment variables are securely stored, with no evidence of unauthorized access.
The incident is significant as Vercel supports many Web3 applications, including wallet interfaces and dashboards. Numerous teams within the crypto sector, particularly those using Vercel for their front-end infrastructure, are now reviewing their code for vulnerabilities. Orca, a Solana-based exchange, confirmed it has rotated all deployment credentials as a precautionary measure while assuring users that its on-chain protocol and funds remain unaffected.
Hackers may have accessed backend configurations that could lead to API key exposures, the company noted. API keys are crucial for connecting applications to critical services. A cybercriminal forum claimed to offer Vercel data for $2 million, including access keys and source code, though Vercel has not confirmed the authenticity of these claims and is working with law enforcement and incident response firms to investigate further.
Vercel’s CEO stated that the breach was enabled through an employee’s use of Context.ai, allowing attackers to escalate access into Vercel’s internal environments. Despite the breach’s potential implications, Vercel maintains that its methods for storing sensitive data have thus far protected it from exposure.
The timing of the Vercel breach coincides with a $292 million exploit of Kelp DAO’s rsETH token, triggering a liquidity crunch across decentralized finance platforms like Aave. April has emerged as a tumultuous month for crypto, marked by significant exploits, including a $285 million attack on the Solana-based Drift protocol, which is suspected to be linked to North Korean actors.
LayerZero identified that the $290 million Kelp DAO exploit stemmed from Kelp’s choice to utilize a single-verifier configuration, contrary to multi-verifier recommendations. The attackers compromised two RPC nodes and conducted a DDoS attack that exploited vulnerabilities in Kelp’s architecture.
