Welcome to 2021, the year without DeFi incidents, blockchain reorgs, and exchanges hacks. Just kidding. The year has already started with the first batch of DeFi hacks and exploits in yCredit and DeFi Saver projects. More YouTube giveaway scams and rug pulls followed closely after. On the malware front, this edition features reports of new a crypto stealer and change in tactics for the crypto jacking campaigns. The BlockSec frontier appears much the same as the previous year. On the brighter side, we have a new blockchain security conference, Unchained, on the horizon and a recordings of a number of smart contract security talks from the Hello Security Audit track.

Hacks

• On January 1st, 2021 yCredit Finance minting vulnerability was successfully exploited.

Vulnerabilities

• January 5th, 2020 DeFi Saver urgently moved users’ funds to a new contract after a vulnerability was responsibly disclosed by the Dedaub team.

Scams

• YouTube channel hijacked to promote a crypto giveaway scam to steal $70K.

• A vulnerable PRNG was exploited to cheat at a SuperMassive NFT experiment.

Malware

• Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders explores a long running ransomware operation which netted perpetrators more than $150M.

• Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets

• Team TNT crypto-mining botnet targets weak Docker and AWS accounts.

Events and Communities

• Unchained BlockSec Conference announced. CFP deadline is February 2nd.

• ETHGlobal - White Hat Panel: DeFi Exploits on January 13th.

• Smart Contract Research Forum

Media

• Hello Security Audit conference held on January 7th has a number of excellent talks on smart contract security from folks at Quantstamp, Trail of Bits, Consensys Dilligence and others.

• Fault Tolerant - Cryptocurrency Threat Models episode offers a unique analysis of threat to and by PoW chains like Bitcoin.

Research

• Why we need wide adoption of social recovery wallets by Vitalik Buterin.

• A Survey on Vulnerabilities of Ethereum Smart Contracts

• Armiarma: Ethereum2 Network Monitoring Tool

• Crypto-Hotwire: Illegal Blockchain Mining at Zero Cost Using Public Infrastructures

• How to prepare for an interview for a Security Researcher role at OpenZeppelin

• Harvey: A Greybox Fuzzer for Smart Contracts

Tools

• tx2uml package creates useful Ethereum transaction graph.

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Thanks for joining me in the first edition of this year! Stay healthy and stay informed.

- Peter Kacherginsky (iphelix)