Week 21, 2020

BlockFi, Hegic, tBTC, Etheroll

This week’s theme is DeFi! Writing smart contracts is hard enough, but take sufficiently complex systems like DeFi apps and bugs just start popping up. Hegic, tBTC, Etheroll all had interesting vulnerabilities discovered and published this week.

The BlockFi incident begs several questions: Why do they still use SMS as a 2FA option especially for internal employees and why are the internal systems still accessible from the Internet? This could have been much worse.

In other news, looks like some of the addresses in the Tulip Fund are turning against Faketoshi and more drama on the Steem network. Also, check out the hilarious Justin Sun deep fake scam video in the links below.

Hacks

  • BlockFi Incident Report - on May 14th, 2020 BlockFi suffered a breach of its client data including customer names, emails, DoBs, home addresses, and activity history. An employee’s phone number was SIM ported to gain access to his or her corporate email and BlockFi’s internal systems. According to the incident report, an attacker attempted but failed to steal any funds.

  • HegicOptions has shut down again - this one is not a typo, a design flaw in Hegic was exploited to make a quick $3340 profit.

  • Details of the tBTC Deposit Pause on May 18, 2020 - additional details about the tBTC bug causing shutdown due to Bitcoin address parsing. An additional vulnerability was also reported where a malicious redeemer could craft an output script which would result in an invalid Bitcoin transaction to seize signer bonds and net profit in some circumstances.

  • Etheroll exploited - a clever exploit which takes advantage of infrequent chain forks to game the gambling smart contract.

  • Ethereum.org DB dump sold on the black market - reports of 16,000 ETH accounts from the 2016 hack being sold online. Vitalik’s hash is clearly visible in the screenshot and appears to be `$P$BVQJbEipvfH6s.IoLtWZmg3GTdo/ee/`. Does anyone wants to take a stab?

  • Bitcoin stolen in a $72 million hack just started moving - more stolen funds movements on the blockchain. This time related to the 2016 Bitfinex hack.

Scams

Vulnerabilities

Malware

People

Research

Another fun week in blockchain security! I hope you stay healthy and see you all next week. But for now, head over to /r/blocksec subreddit where I share many of the news in this newsletter throughout the week.

Week 20, 2020

Lazarus, Terpin, Upbit, BitcoinPaperWallet

Happy Bitcoin halving and welcome back to the Blockchain Threat Intelligence newsletter, the weekly digest of blockchain security news, tools, events, and threats. You may also be interested in /r/blocksec subreddit where I share many of the news below throughout the week.

Lot’s of money laundering activity this week where attackers have attempted to cash out their ill gotten gains or found innovative ways to obfuscate their source. North Korean hackers are at it again and more supercomputers commandeered to mine crypto. Also this week, more news about Michael Terpin’s quest to punish everyone involved in a 2018 heist. Oh and you may want to avoid using online paper wallet generators.

Crime

Hacks

Tools

  • Bug Hunting with Crytic - a new smart contract security project by Trail of Bits. Crytic integrates with existing smart contract repositories to continuously execute some of ToB’s other tools like Slither and Echidna to produce customized reports.

That’s all for this week in blockchain security. A bit of trivia, the last block before Bitcoin reward halving contained a nice easter egg in the spirit of the genesis block: NYTimes 09/Apr/2020 With $2.3T Injection, Fed's Plan Far Exceeds 2008 Rescue. Stay healthy and see y’all next week!

Week 50, 2019

VeChain | Hydra ICO | Bitcoin Blender | KeepKey

Hacks

Crime

Malware

Vulnerabilities

  • How to turn $20M into $340M in 15 seconds - a theoretical attack scenario against MakerDAO which may result in collateral theft. The attack requires 80K MKR which only a the Maker Foundation and a few investors investors like a16z currently have. Following the article, Maker Foundation has increased the Governance Security Module (GSM) delay to 24 hours to allow proper detection to an otherwise instantaneous attack.

  • Critical bug in EOS REX - an EOS Authority security assessment has uncovered a flaw in REX contract which allowed it to extract more EOS tokens than expected. The vulnerability is patched.

  • Inside Kraken Security Labs: Flaw Found in Keepkey Crypto Hardware Wallet - a voltage glitching attack to extract an encrypted seed.

Research

Tools

Week 49, 2019

Lazarus | Lightning Network | Breaking Bitcoin

Malware

Research

Tools

  • RandomX Sniffer - a PoC tool to detect traces of running RandomX ransomware algorithm in CPU registers.

Media

Week 48, 2019

Upbit | Vertcoin | FSB | North Korea

Hacks

Crime

Malware

Research

Tools

Loading more posts…