A tough week for the Singaporean exchange KuCoin which suffered a major $281m hack. On the bright side, Lien Finance’s smart contract was preventively hacked to save $9.6m worth of ETH which also resulted in a fascinating article in the research section on beating front-running bots. This week’s edition features a lot more excellent papers, new tool releases, and two new blockchain security competitions. In other news, folks should really reconsider mining crypto on their employer’s supercomputers.
On September 25, 2020 KuCoin exchange hot wallet was compromised which resulted in a lost of more than $281m worth of crypto across BTC, ETH, LTC, BSV, XRP, XLM, TRX, and a number of ERC-20 tokens. What was unique about this hack is the sheer number of ERC-20 asset issuers who were able to freeze and reclaim stolen assets while the attacker was racing to liquidate them on Uniswap, Kyber, and other DEXs. This sets an interesting precedent for future attacks where token issuers actively support hacked exchanges.
On September 19, 2020 a vulnerability in Lien Finance’s smart contract was discovered and later exploited by a white-hat group led by samczsun. While no funds were lost, $9.6m worth of ETH were at risk.
Alien android malware family is targeting Coinbase, Blockchain.com, Luno, other cryptocurrency and banking wallet apps to steal credentials, control and steal SMS messages, and other trojan functionality.
Escaping the Dark Forest is a fascinating research article by samczsun on beating the front-runners to recover $9.6m worth of ETH from a vulnerable contract. The article is a follow up to Ethereum is a Dark Forest by Dan Robinson where a previous attempt at recovery was intercepted by front-runner bots.
Staring into the Monster’s Eye: Analyzing a Generalized Front-running Arbitrage Bot Attack is another take on the front-running attacks on the Ethereum network by general purpose arbitrage bots.
DeFi Detectives is another live CTF by folks challenging players to hunt down Uniswap hackers and investigate SushiSwap’s exit scam.
That’s all for this week in blockchain threat intelligence! As a reminder, I am participating in the latest round of Gitcoin Grants so would appreciate your support. Stay safe and see you all next week.