Welcome to this week’s edition of Blockchain Threat Intelligence where we will explore a couple of hacks in DeFi space including an unusual spam campaign by a disgruntled operator, several blockchain node vulnerabilities one of them a critical minting bug, and the latest trends in the use of cryptocurrencies by criminals. In case you had the pleasure of competing in Paradigm CTF earlier this year be sure to check out team’s solutions below.

I also wanted to share a new directory of blockchain incidents in my side project OpenBlockSec. The directory contains all know security incidents related to cryptocurrency exchanges, DeFi applications, blockchains, node and wallet software, and other related subjects. The goal of the directory is to learn about the past trends, mistakes and extrapolate lessons for today’s world. It already seems like exchange security incidents of 2011 are oddly similar to DeFi incidents in 2021 in their financial impact, frequency, and seeming lack of accountability.

In other news, a joyful reason for my recent absence from the newsletter was recently covered by several media outlets in case you want to see some more positive uses for NFTs ;-)

News

• Paradigm released CTF solutions on their official github page.

• Massive 8.2TB dataleak from MobiKwik mobile payment processor sold on the dark web for 1.5 BTC.

• The bitcoin terrorists of Idlib are learning new tricks.

• Robert M.C. Forster from ArmorFi made the promised tattoo of Alexander Schlindwein (Bobface) for discovering a critical bug.

Hacks

• On March 30, 2021 Uniswap Info came under spam attack courtesy of Delta Finance which inflated recorded volumes as a retribution for filtering its token’s volume on the analytics site.

• On April 4th, 2021 ForceDAO an insufficient validation vulnerability in the deposit function was exploited to steal 183 ETH (~$367K). The contract was first exploited by a whitehat who later returned 15.8M FORCE ($9.6M) followed by two blackhats.

Vulnerabilities

• The Block Mined In January, 584942419325 by samczsun documents a bug in Geth’s uncle validation routine which could have caused a fork.

• Handshake patched a coin minting vulnerability in its node software.

• BTCPay patched a critical vulnerability in the docker deployment after it was responsibly disclosed by Tesla.

Malware

• An iPhone user was scammed out of 17.1 BTC after he downloaded a fake Trezor app on Apple’s App Store.

• Multiple Monero and Grin cryptomining images discovered on Docker Hub.

Research

• OpenBlockSec - BlockSec Incidents Directory

• Resources for learning smart contract security by Immunefi.

Tools

• Solar: Context-free, interactive analysis for Solidity

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Thanks for joining in this week’s edition! Stay informed, stay positive and see you all next week.

- Peter Kacherginsky (iphelix)

Multiple projects fixed critical vulnerabilities after getting responsible disclosures from Sam, Dedaub team, and others. In many cases these disclosures were facilitated using Immunefi which provides an excellent service to the community by connecting security researchers and various smart contract projects. It was an otherwise quiet week so we can finally enjoy a few fun research papers from Vitalik, Jimmy Song, and others.

News

• Immunefi launched a whitehat scholarship program to help sponsor up and coming security researchers.

Crime

• Chinese authorities arrested a SIM swapping ring targeting exchange users.

Vulnerabilities

• ElasticDAO fixed an infinite minting vulnerability after it was reported by samczsun and Tina Zhen. About $4.4M worth of ETH and EGT tokens were saved as a result of the responsible disclosure. Additional vulnerability details are available here.

• Dedaub reported yield skimming vulnerabilities in Vesper Finance and BT Finance DeFi apps.

• PancakeSwap patched a vulnerability in its lottery contract after it was responsibly disclosed through Immunefi.

Malware

• Black Kingdom ransomware targets unpatched exchange servers.

Research

• The Most Important Scarce Resource is Legitimacy by Vitalik Buterin

• Debunking the Empty Block Attack by Jimmy Song

• ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning.

• Aggregatable Distributed Key Generation.

Tools

• Conkas is a modular static analysis tool for Ethereum Virtual Machine (EVM) based on symbolic execution.

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Thanks for joining me in this week’s edition and see you all next week!

- Peter Kacherginsky (iphelix)

This week we saw traditional appsec threats creep into the crypto world after a couple of DeFi projects lost control over their DNS infrastructure and NFTs getting stolen as a result of good ole’ account takeovers. On the blockchain layer we had a small scare where a block explorer reported a double spend on FileCoin only to conclude that it was just an exchange not using node API correctly. Last but not least check out news of the upcoming QuadrigaCX documentary in the Media section.

News

• Ethereum Foundation announced a bounty for the upcoming ETH2 beacon chain. It includes a wide range of beacon chain targets and attack vectors.

• A Hacker Got All My Texts for $16 exposes a a major flaw in mobile phone operators allowing anyone to reroute SMS from arbitrary phone numbers.

• Nvidia Beta Driver accidentally removes cryptocurrency mining limiter from GeForce RTX 3060 video cards.

Crime

• Teenage hacker sentenced to 3 years in prison for masterminding the July 2020 Twitter hack which resulted in the theft of $120K.

• Romanian authorities arrested an individual responsible for $620K theft from an unknown exchange.

Hacks

• On March 13, 2021 True Seigniorage Dollar DAO was taken over by attackers after they acquired a majority stake. This allowed attackers to deploy an upgrade which was used to mint and later sell 11.8B TSD tokens.

• On March 15, 2021 Cream Finance and PancakeSwap DApps were taken over by attackers after their GoDaddy DNS records were hijacked. The hijacked page attempted to phish users’ seed phrases.

• On March 15, 2021 Nifty Gateway reported that a number of NFTs were stolen after user accounts were compromised on their platform.

• On March 16th, 2021 Iron Finance vFarm reward misconfiguration resulted in the loss of 170K worth of SIL tokens.

• On March 18, 2021 SIL Finance contract permissions vulnerability was exploited by a trading bot which resulted in the loss of $12.1M worth of SIL tokens. The anonymous bot operator returned all of the funds.

Vulnerabilities

• Binance was double crediting FileCoin deposits due to incorrect usage of the node API. The issue briefly incorrectly identified as a double spend.

• Solidity patched a vulnerability in Keccak256 opcode handling.

Scams

• Binance Smart Chain TurtleDEX rug pulled on its investors within hours of launch. $2.5M worth of BNB tokens were quickly exchanged on Binance.

Media

• Dead Man’s Switch is an upcoming documentary about QuadrigaCX CEO, Gerald Cotten who passed away under mysterious circumstances while in midst of a massive scam operation.

Research

• A Year in the Life of a Compiler Fuzzing Campaign is the latest update in Trail of Bits’ long running hunt for bugs.

• Illegal Content and the Blockchain by Bruce Schneier explores threats to the blockchains introduced by hidden messages stored inside.

• Wrecking sandwich traders for fun and profit is an article about a honeypot for MEV sandwichers.

• Tackling Cross Site Scripting with Smart Contracts discusses injection threats and mitigations on DApps.

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

Welcome back to the Blockchain Threat Intelligence newsletter! After a brief break and a happy wedding (part of it on-chain), I’m excited to dive back into the fun world of BlockSec. This week we will discuss the EIP1559 drama happening on the Ethereum blockchain, 0day markets and NFTs, and several DeFi hacks. Be sure to read the DODO post-mortem for mad a ride through the Dark Forest.

News

• A small group of miners proposed to fork the Ethereum network as a protest to reduced miner rewards in the EIP 1559 proposal. In response, a contingency plan was established to quickly move from PoW to ETH2.0 PoS in case of a 51% attack.

• NFT with a 0day exploit for Quake3 was (briefly) listed on a popular marketplace OpenSea.

• Romanian law enforcement arrested a hacker responsible for the theft of 620K euros from an unidentified exchange.

• Turkish police arrested a Chinese gang which kidnapped workers and forced them to operate a cryptocurrency scam.

Hacks

• On March 14th, 2021 Roll platform’s hot wallet keys were compromised which resulted in the loss of $5.7M worth of various social tokens.

• On March 9th, 2021 DODO V2 Pool contracts were exploited by calling an initialization function which was supposed to be called only once. $3.8M worth of crypto were stolen. In a surprising twist, attackers themselves were front-ran by arbitrage bots who returned the majority of stolen funds.

• On March 7th, 2021 Nano network came under a multi-week DoS attack which resulted in many nodes getting knocked out of sync and transactions getting significantly delayed. The DoS condition was triggered by a large number of dust accounts which saturated the network and overloaded nodes.

• In February, 2021 Zerion platform was tricked to list a malicious Balancer clone which resulted in the loss of $30K worth of funds.

Malware

• Fake crypto wallets on the rise in Google and Apple App Stores.

• UnityMiner targets vulnerable QNAP NAS devices to mine crypto.

• Fake Ad Blocker delivers ransomware and cryptominer in one package.

Research

• A History of Bitcoin Transaction Dust & Spam Storms

• HashSplit: Exploiting Bitcoin Asynchrony to Violate Common Prefix and Chain Quality.

• BLOCKEYE: Hunting For DeFi Attacks on Blockchain.

• Snarky Ceremonies.

• SciviK: A Versatile Framework for Specifying and Verifying Smart Contracts.

• Selfish Mining Attacks Exacerbated by Elastic Hash Supply

• Formal Modelling and Security Analysis of Bitcoin’s Payment Protocol

• EtherSolve: Computing an Accurate Control-Flow Graph from Ethereum Bytecode

Tools

• OpenZeppelin launched Sentinels a smart contract security monitoring service. The service is available free for individual use.

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Thanks for joining me this week and see you all in the next week’s edition as I’m slowly catching up on the news.

- Peter Kacherginsky (iphelix)

Never a dull week in blockchain security! Multiple smart contract developers reported their private keys were compromised. In all but one case we can only guess if these incidents were part of a rug pull or a compromise by malicious 3rd parties. However, what was apparent is the importance of properly securing superuser keys using multi-sig, governance contracts, or other ways which would prevent a single bad developer from running off with all the cash. On the more positive side, check out two great podcasts with Katie Haun on prosecuting corrupt agents in the Silk Road case and Julien Boutelop’s talk on the Rekt project.

Media

• The Tim Ferris Show Episode 499: Katie Haun on the Dark Web, Gangs, Investigating Bitcoin, and The New Magic of "Nifties" (NFTs‪) deep dives into the investigation of corrupt law enforcement agents involved in the Silk Road case.

• Epicenter Episode 381 - Stake Capital/Rekt - Uncovering the Dark Side of Defi with Julien Boutelop.

Crime

• Blockchain Sleuth Says OKEx, Huobi Stonewalled Him in Child Porn Investigation explores regulatory challenges while hunting down criminals behind the worst kind of crimes.

• BitCoin blackmailer who threatened to blow up NHS hospital during Covid pandemic sentenced in Germany.

Scams

• On March 4th, 2021 Meerkat Finance, a Yearn clone on BSC, smart contract was drained of $31M worth of BUSD and BNB tokens after it was upgraded with a malicious proxy implementation. Further analysis have shown that the hack was perpetrated by the project owners, who later rolled back their hack allegations stating that it was just a test.

• On March 7th, 2021 IVF Finance developer reported his phone, Telegram, and deployer keys were compromised resulting in someone pulling liquidity. The official twitter account has since been deleted.

Hacks

• On March 5th, 2021 PAID Network private keys were compromised resulting in the minting of $160M worth of PAID tokens. While the incident sounds very similar to the Meerkat Finance scam a day earlier, it appears developers are taking active steps to relaunch the token, wipe out stolen funds, and enhance future key security using multi-sig.

• On March 5th, 2021 Kava, a DeFi lending platform, had to be paused and relaunched after an accounting flaw was exploited. No funds were lost.

Vulnerabilities

• A vulnerability was discovered in deprecated Factory v1 pools on Curve Finance. No additional details or post-mortems are currently available.

Malware

• Backdoored Electrum Wallet was notarized and available in Apple Appstore. Once installed, the malware attempted to steal user’s wallet.

• MetaMask phishing campaign on Google Adwords was reported by CipherTrace.

Research

• Failed attempt to break Curve by Experience and Killari.

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Just a heads up that next week’s edition will be delayed, but we will catch up on all the news the week after. Thanks for joining me and see you all soon!

- Peter Kacherginsky (iphelix)