Welcome to this week’s edition of Blockchain Threat Intelligence where we will explore a couple of hacks in DeFi space including an unusual spam campaign by a disgruntled operator, several blockchain node vulnerabilities one of them a critical minting bug, and the latest trends in the use of cryptocurrencies by criminals. In case you had the pleasure of competing in Paradigm CTF earlier this year be sure to check out team’s solutions below.

I also wanted to share a new directory of blockchain incidents in my side project OpenBlockSec. The directory contains all know security incidents related to cryptocurrency exchanges, DeFi applications, blockchains, node and wallet software, and other related subjects. The goal of the directory is to learn about the past trends, mistakes and extrapolate lessons for today’s world. It already seems like exchange security incidents of 2011 are oddly similar to DeFi incidents in 2021 in their financial impact, frequency, and seeming lack of accountability.

In other news, a joyful reason for my recent absence from the newsletter was recently covered by several media outlets in case you want to see some more positive uses for NFTs ;-)

News

• Paradigm released CTF solutions on their official github page.

• Massive 8.2TB dataleak from MobiKwik mobile payment processor sold on the dark web for 1.5 BTC.

• The bitcoin terrorists of Idlib are learning new tricks.

• Robert M.C. Forster from ArmorFi made the promised tattoo of Alexander Schlindwein (Bobface) for discovering a critical bug.

Hacks

• On March 30, 2021 Uniswap Info came under spam attack courtesy of Delta Finance which inflated recorded volumes as a retribution for filtering its token’s volume on the analytics site.

• On April 4th, 2021 ForceDAO an insufficient validation vulnerability in the deposit function was exploited to steal 183 ETH (~$367K). The contract was first exploited by a whitehat who later returned 15.8M FORCE ($9.6M) followed by two blackhats.

Vulnerabilities

• The Block Mined In January, 584942419325 by samczsun documents a bug in Geth’s uncle validation routine which could have caused a fork.

• Handshake patched a coin minting vulnerability in its node software.

• BTCPay patched a critical vulnerability in the docker deployment after it was responsibly disclosed by Tesla.

Malware

• An iPhone user was scammed out of 17.1 BTC after he downloaded a fake Trezor app on Apple’s App Store.

• Multiple Monero and Grin cryptomining images discovered on Docker Hub.

Research

• OpenBlockSec - BlockSec Incidents Directory

• Resources for learning smart contract security by Immunefi.

Tools

• Solar: Context-free, interactive analysis for Solidity

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Thanks for joining in this week’s edition! Stay informed, stay positive and see you all next week.

- Peter Kacherginsky (iphelix)