BlockThreat - Week 37, 2021

SushiSwap | pNetwork | OpenZeppelin | Capoae | REvil

Welcome to BlockThreat!

This week’s edition is jam packed with post-mortems, vulnerabilities, research papers, and the latest in blocksec news. A truly bizarre hack happened involving the Kia Sedona auction on SushiSwap with all of the funds returned after the attacker received a miso soup delivery along with a not so friendly legal call. IRS is at it again soliciting exploits for hardware wallets, another cross-chain protocol loses $12.5M, new cryptominer malware family, and more in this never dull space. You can find all of the incidents below in the OpenBlockSec incidents directory.

Let’s dive into the news, but first a special thank you to all of the Gitcoin Grant supporters as well as Breadcrumbs.app who sponsored this week’s edition:



Events

News

Hacks

Vulnerabilities

Scams

Malware

Other Incidents

Research

Tools


Help support BlockThreat!

Over the past two years, BlockThreat has gained more than a thousand followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.


Stay informed and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

BlockThreat - Week 36, 2021

Zabu | CREAM | Mango | CipherTrace | North Korea

Welcome to BlockThreat!

In this edition we will focus on education by reviewing the latest in blocksec research and tools. Avalanche network experienced its first major DeFi hack while another DeFi project on Solana have narrowly avoided losses thanks to a timely report and exploiting itself to save funds. On the more positive news, a money laundering network used by North Korean attackers was dismantled and CREAM got most of their funds back.

Let’s dive into the news, but first a special thank you to all of the Gitcoin Grant supporters. You folks rock!

News

Hacks

Vulnerabilities

Research

Tools

  • Solidity Shell by Consensys Diligence makes it easy and fun to experiment with Solidity snippets.


Help support BlockThreat!

Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.


Stay informed, stay safe and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

BlockThreat - Week 35, 2021

Banksy | Aurorian | Siren | DAO Maker

Welcome to BlockThreat!

A relatively quiet week with just a few reports of NFT scam campaigns resulting in millions in losses. Alarming trends of yet another reentrancy exploit and previously exploited projects getting successfully attacked again. Enjoy this rare week of sub-$10M losses to catch up on a few great research articles below.

Scams

Hacks

Research


Help support BlockThreat!

Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.


Stay informed, stay safe and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

BlockThreat - Week 34, 2021

Bilaxy | xToken | CREAM | Dot | Geth | OpenZeppelin

Welcome to BlockThreat!

SushiSwap payed out a $1M bounty for a responsibly disclosed critical bug. Other DeFi projects promote bounties up to $2.5M. In comparison, zero day marketplaces pay $2.5M for full exploit chains in iOS and Android phones with an added requirement to not share bugs with manufacturers. Responsible disclosures are only in the $250K range for similar bugs. Is it only a matter of time before hobbyist criminals are replaced by seasoned grey hats who realized that the economics of DeFi exploits makes it a far more profitable enterprise?

Coordinated disclosure is really tricky. Ethereum and other compatible networks experienced networks splits after an attacker figured out a vulnerability in a hotpatch and launched an exploit before most nodes upgraded. In other news, Bilaxy exchange reported a hotwallet compromise, several DeFi projects experienced repeat hacks, new scammer technique targets Metamask users, and more in this week’s edition.

As a reminder, you can find post-mortem and exploit analysis archives of DeFi, exchange, blockchain, and other incidents in the OpenBlockSec Incidents repo. Feel free to send PRs to keep it up to date and complete!

News

Hacks

Vulnerabilities

Scams

Ransomware

Research


Help support BlockThreat!

Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.


Stay informed, stay safe and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

BlockThreat - Week 33, 2021

Liquid | T-Mobile | SushiSwap | Pinecone | Solend | Sentinel

Exchange hot wallet compromises have been getting more and more rare in recent years as security practices continued to mature. Unfortunately, Liquid Exchange broke this pattern in a massive $94M hack perpetrated by well prepared attackers. SushiSwap narrowly avoided a $350M hack thanks to a timely report by samczsun. Solana experienced a (possibly first) DeFi hack. Last but not least, expect to see an increase in exchange account takeovers after a massive T-Mobile hack.

Let’s dive into the news, but first a special thank you to Oak Security which sponsored this week’s edition:


Oak Security focuses on third-generation blockchains and blockchain interoperability. Oak’s client base has a combined market cap of over $10 billion. The company specializes in Terra, Cosmos, Polkadot, and Flow security, and is the leading provider of CosmWasm security audits. Oak security is growing and hiring new auditors.


News

Hacks

Vulnerabilities

Media

Research


Help support BlockThreat!

Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.


Stay informed, stay safe and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

Loading more posts…