What a week in DeFi land! Multiple projects had to resort to hacking their own smart contracts after getting reports about critical flaws. Additional vulnerabilities discovered in the Argent wallet and the Lightning Network all leading to funds theft. This week we have also learned about a shady South Korean exchange behind multi-million gas fee transactions on the Ethereum network. In other news enjoy the upcoming movie about NSA kidnapping Satoshi Nakamoto in an attempt to destroy cryptocurrencies.

Hacks

• The sender of $5 million Ethereum transaction fees has revealed itself to be a shady South Korean exchange Good Cycle which confirmed to be hacked on multiple times.

Scams

• South Korean authorities seized data of two unnamed Ponzi scheme exchanges.

• Scammers use vanity Bitcoin addresses with celebrity or corporate names as part of fake “giveaway” campaigns.

• Wirecard, the company behind Crypto.com and TenX debit cards, is unable to locate $2 billion of cash.

Vulnerabilities

• A major vulnerability in Bancor Network’s smart contract could allow funds theft. Bancor team has attacked their own vulnerable smart contracts to secure users’ funds, but not before arbitrage bots front-running some of those transactions and claiming the bounty for themselves.

• Another vulnerability and a pre-emptive hack on the DeFi Saver Exchange resulted in $30k of funds moved to a safe location.

• A high severity vulnerability in Argent wallet recovery process which can result in funds theft for wallets with no recovery guardians.

• Disclosure of a fee blackmail attack on the Lightning Network that can make a victim loose almost all funds of a non Wumbo channel and potential fixes.

Research

• ConsenSys Dilligence released Blockchain Security Database aggregating security audits and bounty programs for major Ethereum projects.

• Detecting transaction replacement attacks with Manticore

• Flood & Loot: A Systemic Attack On The Lightning Network

• Attack Nets project to create a stable testing ground for attackers.

• How I checked over 1 trillion mnemonics in 30 hours to win a bitcoin

• The 80,000 stolen MtGox bitcoins

Thanks for joining me this week and see you in another edition of Blockchain Threat Intelligence newsletter. In the meantime, head over to /r/blocksec for up to date information on the current threats.

-Peter