After weeks of non-stop hacks, we finally got a bit of a break where we can catch up on fun research papers and a fun DeFi security workshop from Binance.

Let’s dive into the news, but first a special thanks to our sponsors at Trail of Bits:

News

• Russian-language hacker forums created a $100K+ prize pool for research papers on ways to attack cryptocurrency assets, exchanges, and related tech.

• US Government prioritizes blockchain analytics and ransomware investigations to combat future attacks on critical infrastructure such as the Colonial Pipeline and JBS hacks.

Hacks

• On June 3, 2021 Sia reported a persistent DDoS attack targeting storage providers resulting in 30% of them losing connections to the network.

• On June 3, 2021 PancakeHunny, a Pancake Bunny clone on BSC, reward mechanism was exploited using a flashloan which resulted in the loss of $86K (216 WBNB tokens).

Malware

• TeamTNT report by Palo Alto’s Unit 42 discussing evolving tactics targeting cloud infrastructure to install crypto miners.

• Extended Clipper malware advertised on darknet forums now targeting multiple cryptocurrency wallets.

Media

Security First in DeFi workshop sponsored by Binance:

1. Understand the security risk of Blockchain by Certik Team

2. Incident Response Process（During/After hacks) by Merkle Science

3. Project Panel: How projects respond to risks and how general users can protect themself? with Cream, dForce, Autofarm, Ogle

4. Best practices for working with data/oracle in a smart contract by Chainlink Team

5. Proactive defense for DeFi protocols: Security as a never ending process by Immunefi team

Research

• In-depth understanding of reentry attack vulnerabilities by Knownsec Blockchain Lab

• SoK: Oracles from the Ground Truth to Market Manipulation

• Topological Anomaly Detection in Dynamic Multilayer Blockchain Networks such as Ethereum to detect financial crime.

Stay informed, stay healthy, and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

Almost $17M were stolen this week across various DeFi projects with losses primarily generated by various Pancake Bunny clones on the Binance Smart Chain. Things got so bad that Binance issued a call for action to get developers to adopt secure engineering practices. Crypto Core APT was linked with the Lazarus group further solidifying North Korea’s place as the primary threat to cryptocurrency exchanges around the world. This edition also features lot’s of excellent research papers, podcasts, and talks, but be sure to check out samczsun’s excellent write up on the critical Geth bug. With that grab some coffee, this is going to be one of the larger editions!

Events

• Proactive defense for DeFi protocols: Security as a never-ending process workshop on June 4th 12:30pm UTC+0 by Immunefi

News

• ClearSky released an updated report on the Crypto Core APT group attributing it to the North Korean Lazarus APT.

• Binance Smart Chain experienced 8+ DeFi hacks in the past few weeks prompting an official call for action to increase project security.

Hacks

• On May 29, 2021 Belt Finance price calculation method was exploited using flashloans to steal $6.2M.

• On May 27, 2021 BurgerSwap reentrance vulnerability was exploited to steal $7.2M worth of various crypto assets.

• On May 27, 2021 Wild Credit contract allowed it to be reinitialized which resulted in the theft of $700K. Luckily the attacker was front-run by a bot which returned stolen funds back to the project.

• On May 27, 2021 JulSwap was exploited using flash loans to steal $700K.

• On May 26, 2021 Merlin Labs, a Pancake Bunny clone on BSC, was exploited twice using the same performance minting and a new incorrect price calculation vulnerabilities resulting the loss of $680K and $540K respectively.

• On May 24, 2021 AutoShark Finance, a Pancake Bunny clone on BSC, reward mechanism was exploited using a flashloan which resulted in the loss of $750K (2.2K WBNB tokens).

Vulnerabilities

• Geth patched a critical vulnerability which could have resulted in a hard fork after it was responsibly disclosed by samczsun.

• Bitswift fixed a race condition in its web application after the vulnerability was responsibly disclosed by Yash Sodha using Immunefi platform.

• Keep team fixed a bug which could lead to the loss of signer fees after the vulnerability was responsibly disclosed by Certora.

Malware

• CryptoJacking —Journey of How Cryptomining Turned Evil? by Rakesh Krishnan discusses cryptojacking tactics and major campaigns.

Media

• Crypto’s Existential Threat MEV Panel with Phil Daian, Georgios Konstanopolus, Charlie Noyes

• MEV front-runners and arbitrage by Anatol Prisacaru

• FlashBots: How to make $1m per month as a Solidity developer with Stephane Gosselin & Robert Miller

• Community DeFi Bug Hunt by Carl Farterson

• Hacks Averted by Duncan Townsend

Research

• Elliptic released its Sanctions Compliance in Cryptocurrencies report which discusses evasion techniques including mixers, DEXes and no-KYC exchanges, privacy coins or just mining new coins themselves.

• Flashpoint released Investigating Hydra: Where Cryptocurrency Roads All Lead to Russia and Go Dark report calling attention to increased cryptocurrency activity on the marketplace.

• What to Do After You’ve Been Hacked by Immunefi helps DeFi projects create an incident response plan.

• There is Light in the Dark Forest by bloXroute discusses MEV risks and a new BackRunMe service to help users submit private transactions.

• An interesting honeypot contract found by Robert Miller (@bertcmiller)

• Large collection of smart contract audits by DeFiYield.

• Maximizing Your Arbitrage: Flash Loans by Patrick Collins

• Legendre PRF (Multiple) Key Attacks and the Power of Preprocessing

• SCSGuard: Deep Scam Detection for Ethereum Smart Contracts

• Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit

• Understanding Security Risks in DeFi by CertiK

Tools

• Ape Framework - The DeFi development tool for Pythonistas, Data Scientists, and Security Professionals.

• Ethernal - a private blockchain explorer for EVM-based chains.

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

This week we learned about a silently patched vulnerability in both Geth and Parity nodes which almost halted the network. Another $43.6M stolen from various DeFi projects and additional $200M liquidated as a result of price manipulation. I started keeping track of these incidents, root cases, and their impact on OpenBlockSec - DeFi Incidents 2021 page. So far in 2021 we are at $400M+ lost or stolen just from the hacks (significantly more due if we also count rug pulls and other scams) which is enough to sound an alarm that changes must happen soon in this segment of the industry through increased user awareness, developer education, tool development, bug bounty programs, etc. to turn the tide.

Events

• Blockchain Forensics Seminar by David Jevans (CipherTrace) on 05/26 at 3PM PST. Password: 071256.

• Defcon Blockchain Village CFP is now open. Apply now for the virtual or in-person blockchain security event on August 5-8, 2021.

News

• Crypto-mining gangs are running amok on free cloud computing platforms by Catalin Cimpanu (The Record) explores a widespread abuse of CI services to mine crypto.

• More than 72,000 unique Iranian IP addresses linked to more than 4.5 million unique Bitcoin addresses by Ciphertrace reveals a large mining operation by Iranian actors to mining cryptocurrencies to avoid sanctions.

• NTT’s 2021 Global Threat Intelligence Report reveals a resurgence of cryptojacking malware.

Hacks

• On May 18, 2021 Venus Protocol price manipulation of the governance token resulted in $200M+ in DeFi liquidations and $100M+ in bad debt.

• On May 20, 2021 Bunny Finance mint price vulnerability was exploited to steal $45M+ worth of assets.

• On May 22, 2021 Bogged Finance minting vulnerability was exploited to steal $3.6M worth of BOG token.

Scams

• FTC Data Shows Huge Spike in Cryptocurrency Investment Scams with consumer reports increasing ten times since last year.

• Office of Comptroller of the Currency (OCC) released an advisory about a phishing campaign attempting to steal bitcoin wallet keys.

• War on Rugs group exit scammed with $2M of users’ funds after setting a 100% selling tax on RETH and FAIR smart contracts.

• DeFi100 exit scammed with $32M of users’ funds while mocking investors.

Vulnerabilities

• Ethereum Foundation secretly patched a critical DoS vulnerability present in several EVM opcodes in both Geth and Parity nodes.

• Charged Particles fixed a critical DoS/griefing vulnerability after it was responsibly disclosed by Alejandro Muñoz-McDonald through Immunefi.

• Mushrooms Finance fixed a vulnerability which allowed flash bots to steal yields after it was responsibly disclosed by Wen-Ding Li using Immunefi. The vulnerability was previously exploited to steal $222 worth of assets.

• Yearn Finance patched a vulnerability in StrategyMakerETHDAIDelegate accounting logic. Yet another patch in the past few weeks from the Yearn Security team which appears to actively weed out flaws in their contracts.

Research

• Meebit NFT Exploit Analysis by iphelix dives into the exploitation details of the Meebit platform and shares a PoC exploit to help replicate the exploit.

• CheapETH 51% attack demonstration by Anish Agnihorti shows a complete setup and successful 51% attack on the Ethereum fork project.

• DeFi exploitation impact, root cause analysis and trends tweet thread by Igor Igamberdiev.

• Inductive Reasoning about Smart Contracts Safety by James Wilcox

• Bitcoin Privacy - A Survey on Mixing Techniques.

• What everyone gets wrong about 51% attacks by Dankrad Feist.

Tools

• EtherBlob Explorer used to extract human readable data stored in Ethereum transactions.

Help support BlockThreat!

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

This week ends the Colonial Pipeline saga with yet another paid ransom further emboldening ransomware gangs. Ethereum, Binance Smart Chain, and EOS based DeFi applications were exploited this week for a total loss of almost $40M. On the bright side projects are finding and patching more vulnerabilities using internal code reviews and bug bounty programs potentially reversing a seemingly unstoppable barrage of DeFi hacks. Be sure to check out excellent reports by Ciphertrace and Chainalysis on the current state of cryptocurrency crime.

News

• Koch brothers paid the $5M (75 BTC) ransom to the DarkSide Ransomware Gang to help reopen the Colonial Pipeline after six days of outage. Blockchain analytics companies have traced the ransom to a number of exchanges and Hydra marketplace. Interestingly, the group shut down its operations after its public infrastructure was seized.

• Europol arrests six people connected to a €30M scam involving fake cryptocurrency trading platforms.

• Murder for hire scheme thwarted after a Bitcoin transaction to pay the hitman was tracked to an exchange user.

Scams

• FinNexus exit scammed after minting and dumping $7.6M worth of FNX.

Hacks

• On May 12, 2021 xToken contracts were exploited to steal $25M.

• On May 13, 2021 Pi Network user data was posted on Raidforums for sale. Stolen data included Vietnamese identity cards, addresses, phone numbers, and emails for up to 10,000 customers.

• On May 14, 2021 Vault.sx contract on EOS was exploited through a re-entrancy vulnerability to steal $13.5M worth of EOS and USDT.

• On May 16, 2021 Bearn Finance withdrawal logic vulnerability was exploited to steal $11M.

Vulnerabilities

• Sovryn patched a critical lending vulnerability after it was responsibly disclosed through Immunefi bug bounty.

• Fei patched a critical vulnerability in its bonding curve after an internal code review.

• Fei published detailed post-mortem and a PoC exploit for the recent flashloan vulnerability.

• Yearn patched two vulnerabilities in its StrategyProxy and SingleSidedCrvDai contacts.

• Maker patched an overflow bug in its emergency shutdown function.

Malware

• eChoraix ransomware targets vulnerable and unprotected QNAP servers.

• Cryptojacker targets Call of Duty gamers downloading a malicious trainer.

• Ongoing phishing campaign on Twitter targets Metamask and Trust Wallet users with backdoored wallet software.

Research

• Griff Green: Doge-loving hippy hacker steals crypto before bad guys can is a historical look at the infamous DAO hack in 2016.

• Ciphertrace published its quarterly Cryptocurrency Crime and Anti-Money Laundering Report which shows a significant rise in DeFi hacks.

• Chainalysis published Ransomware 2021: Critical Mid-year Update report.

• Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims.

• Reentrancy Vulnerability Identification in Ethereum Smart Contracts discusses a new static and dynamic analysis framework.

Tools

• DeFi ABI generator speeds up the process of creating contract interfaces in Golang.

Help support BlockThreat!

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Thanks for joining me in another week of blockchain security!

- Peter Kacherginsky (iphelix)

Welcome to this week’s edition of BlockThreat! For those of you not too busy watching Dogefather on SNL and hopefully not participating in the giveaway scam barrage, I have a fantastic edition for you featuring DeFi hacks, latest scam and malware campaigns, new EVM analysis tools, and a fun new podcast on the QuadrigaCX saga. Enjoy!

Events

• Defcon Blockchain Village CFP is now open. Consider submitting a talk on blockchain security related topics!

Media

• Exit Scam - a podcast series about the death and afterlife of Gerald Cotten (QuadrigaCX CEO)

Scams

• South Korean law enforcement raided V Global exchange offices responsible for scamming $1.5B worth of assets from 40,000 members.

• Elon Musk crypto giveaway scams are on the rise again before his appearance on SNL.

• Ongoing Twitter phishing campaign targets Metamask users to steal seed phrases.

• FBI started adding warning signs on Bitcoin ATM machines to deal with the surge of scams.

• WallStreetBets Forum Members Targeted in Telegram Cryptocurrency Scam which resulted in the loss of $2M worth of Binance Coin.

• Token Sniffer - Scams & Hacks directory lists latest reports of scam coins.

Hacks

• On May 6th, 2021 Value DeFi was hacked after its pool got reinitialized. The attacker drained $10M worth of crypto assets.

• On May 8th, 2021 Value DeFi was hacked again due to invalid use of power() function. Another $11M were stolen.

• On May 8th, 2021 Rari Capital yield-generating strategy in Alpha Finance’s ibETH was exploited which resulted in the theft of 2600 ETH ($10M). The attacker used funds they stole from the earlier Value DeFi hack making this the first cross-chain hack. Perpetrators also issued a mocking on-chain message.

• On May 8th, 2021 Meebit NFT generation logic was exploited to mint a highly valuable NFT worth $700K.

Vulnerabilities

• 0x patched a vote inflation vulnerability after it was responsibly disclosed by samczsun.

Malware

• The Rage of Android Banking Trojans report by Threat Fabric notes an increase in crypto stealing malware targeting popular Android mobile apps from Coinbase, Binance, Blockchain.com, and others.

• Panda Stealer malware report by TrendMicro documents a new wallet stealer propagated through spam emails.

Research

• Tracking One Year of Malicious Tor Exit Relay Activities (Part II) is a follow up to the last year’s article which first identified malicious actors intercepting cryptocurrency-related web traffic on Tor. In this edition, nusenu identifies a likely actor behind 1000s of malicious exit nodes intercepting traffic to cryptocurrency mixers.

• Targeting the Weakest Link: Social Engineering Attacks in Ethereum Smart Contracts explores new attack vectors using specially crafted addresses and homographs.

• DeFi Risk Tools & Resources is a great resource for various blockchain security projects, tools, risk scoring metrics, insurance providers, and other related subjects.

• How To Spot a Potential RUG — Clear signs something is sketchyis a nice deep dive into Phoinikas Finance contract and social media profiles.

Tools

• FuzzyVM - a guided differential fuzzing framework for EVM.

• Ethereum Toolkit (ETK) - a collection of tools for creating and analyzing EVM smart contracts. The toolkit includes assembler and disassembler tools.

• Palkeo Arbitrary Transaction View - a tool to simulate arbitrary EVM transactions.

Help support BlockThreat!

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed, stay healthy, and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)