This week’s theme is DeFi! Writing smart contracts is hard enough, but take sufficiently complex systems like DeFi apps and bugs just start popping up. Hegic, tBTC, Etheroll all had interesting vulnerabilities discovered and published this week.

The BlockFi incident begs several questions: Why do they still use SMS as a 2FA option especially for internal employees and why are the internal systems still accessible from the Internet? This could have been much worse.

In other news, looks like some of the addresses in the Tulip Fund are turning against Faketoshi and more drama on the Steem network. Also, check out the hilarious Justin Sun deep fake scam video in the links below.

Hacks

• BlockFi Incident Report - on May 14th, 2020 BlockFi suffered a breach of its client data including customer names, emails, DoBs, home addresses, and activity history. An employee’s phone number was SIM ported to gain access to his or her corporate email and BlockFi’s internal systems. According to the incident report, an attacker attempted but failed to steal any funds.

• HegicOptions has shut down again - this one is not a typo, a design flaw in Hegic was exploited to make a quick $3340 profit.

• Details of the tBTC Deposit Pause on May 18, 2020 - additional details about the tBTC bug causing shutdown due to Bitcoin address parsing. An additional vulnerability was also reported where a malicious redeemer could craft an output script which would result in an invalid Bitcoin transaction to seize signer bonds and net profit in some circumstances.

• Etheroll exploited - a clever exploit which takes advantage of infrequent chain forks to game the gambling smart contract.

• Ethereum.org DB dump sold on the black market - reports of 16,000 ETH accounts from the 2016 hack being sold online. Vitalik’s hash is clearly visible in the screenshot and appears to be `$P$BVQJbEipvfH6s.IoLtWZmg3GTdo/ee/`. Does anyone wants to take a stab?

• Bitcoin stolen in a $72 million hack just started moving - more stolen funds movements on the blockchain. This time related to the 2016 Bitfinex hack.

Scams

• TRON’s Justin Sun Imitated in The Most Advanced ‘Deep-Fake’ Crypto Scam - a new spin on the classic crypto scam involves pre-recorded Skype calls with “deep-faked” Justin Sun on the other end. You can watch the hilarious video here.

Vulnerabilities

• Lit by Laser: PIN Code Recovery on Coldcard Mk2 Wallets - keep your crypto close, but your hardware wallets closer. Another hardware wallet cracked by the Ledger Donjon team.

Malware

• Insidious Android malware gives up all malicious features but one to gain stealth - ESET report on a banking trojan targeting cryptocurrency wallets. The malware was available as a DEFENSOR ID app in the official Google Play store. It exploits Android’s accessibility options to control other apps on the phone to gather victims’ credentials, emails, and messages.

People

• Meet the forensics expert who tracks stolen Bitcoin - an expose on CipherBlade’s Rich Sanders and his work tracking down stolen crypto.

Research

• Fact Checking Recent Cryptocurrency Terrorism Financing Reports - debunking myths of terror groups using crypto… for now.

• Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability - a study of DEX arbitrage bots and the risk they pose to consensus security.

Another fun week in blockchain security! I hope you stay healthy and see you all next week. But for now, head over to /r/blocksec subreddit where I share many of the news in this newsletter throughout the week.