Welcome to BlockThreat!

This week’s edition is jam packed with post-mortems, vulnerabilities, research papers, and the latest in blocksec news. A truly bizarre hack happened involving the Kia Sedona auction on SushiSwap with all of the funds returned after the attacker received a miso soup delivery along with a not so friendly legal call. IRS is at it again soliciting exploits for hardware wallets, another cross-chain protocol loses $12.5M, new cryptominer malware family, and more in this never dull space. You can find all of the incidents below in the OpenBlockSec incidents directory.

Let’s dive into the news, but first a special thank you to all of the Gitcoin Grant supporters as well as Breadcrumbs.app who sponsored this week’s edition:

Events

• September 23rd, 11:00 AM ET - The Women to Know in Investigations hosted by Chainalysis.

News

• Internal Revenue Service contracted VTO Labs to help it exploit hardware wallets with the purpose of obtaining account and other forensic data.

• UC San Diego student indicted for a SIM swapping and extortion scheme with the help of a cell phone company employee.

• Bitcoin address involved in the 2014 Mt.Gox hack reactivated after 7 years.

• REvil ransomware master decrypter released for all victims.

Hacks

• On September 10, 2021 Electroneum customer database was breached which may have exposed users ETN wallet addresses, password hashes, PINs, email addresses, phone numbers and other sensitive data.

• On September 14, 2021 SecretSwap, a Secret Network DEX, was successfully exploited. No additional details about the hack are available.

• On September 14 2021 Ethereum network witnessed a broadcast of ~550 specially crafted, invalid blocks. The minority of Nethermind nodes forked to an invalid chain.

• On September 15, 2021 NowSwap Protocol logic error vulnerability was successfully exploited which resulted in the $1M loss.

• On September 16, 2021 Defibox, an EOS-based DeFi project, was successfully exploited which resulted in the theft of ~$24K worth of EOS.

• On September 17, 2021 SushiSwap MISO auction was hacked in a supply chain attack which resulted in the theft of $3.1M worth of ETH. In a truly bizarre twist all of the funds were returned after the perpetrator was identified and received a miso soup order to his home address along with a call from a lawyer.

• On September 18, 2021 Reddit user Reckless_Satoshi demonstrated a routing fee siphoning attack against Bitfinex, OKex, Muun, LNMarkets, Southxchange, WalletOfSatoshi projects.

• On September 19, 2021 pNetwork, a cross-chain protocol, backend log parsing vulnerability was exploited resulting in the theft of $12.5M worth of BTC on Binance Smart Chain bridge.

Vulnerabilities

• Trezor fixed a security issue for Stellar coin on Trezor Model One.

• OpenZeppelin issued a patch and preemptively initialized 170+ UUPS Proxy smart contracts across Ethereum, Polygon, xDAI, BSC, and Avalanche after a critical vulnerability in the UUPS proxy pattern was disclosed independently by Raymond Yeh and Ashiq Amien.

• Yearn patched a bug which could allow an escrow contract to be re-initialized if the ownership is renounced.

• Pancakebunny patched a critical vulnerability in polyBUNNY zap function after it was responsibly disclosed through Immunefi.

• EthGlobal patched a persistent XSS vulnerability after it was responsibly disclosed by Elyx0

Scams

• New scam campaign targeting OpenSea sellers with phishing emails.

Malware

• Capoae cryptominer malware targets vulnerable Wordpress, Jenkins, WebLogic, and ThinkPHP linux servers.

Other Incidents

• On September 7, 2021 OpenSea bug resulted in 42 NFTs getting sent to to a burn address.

• On September 12, 2021 Yam Finance accidentally minted 20B YAM.

• On September 17, 2021 Arbitrum Sequencer halted as a result of a bug.

• On September 15, 2021 Solana consensus protocol halted after the network was flooded with bot transactions.

Research

• Bitcoin ledger as a secret weapon in war against ransomware

• Identifying Ransomware Actors in the Bitcoin Network using machine learning with 85% accuracy.

• What’s in Your Wallet? Privacy and Security Issues in Web 3.0.

• Uncover the mystery of flash loans by Knowsec Blockchain Lab.

• How to Get a Bigger Bounty by Optimizing Attack Parameters by Immunefi.

• OpenZeppelin Smart Contract Security Guidelines and Live Sessions by OpenZeppelin.

• SmarTest: Effectively Hunting Vulnerable Transaction Sequences in Smart Contracts through Language Model-Guided Symbolic Execution.

Tools

• Breadcrumbs blockchain analytics tool comes out of beta.

• Consensys Diligence announces Fuzzing tool.

Help support BlockThreat!

Over the past two years, BlockThreat has gained more than a thousand followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

Welcome to BlockThreat!

In this edition we will focus on education by reviewing the latest in blocksec research and tools. Avalanche network experienced its first major DeFi hack while another DeFi project on Solana have narrowly avoided losses thanks to a timely report and exploiting itself to save funds. On the more positive news, a money laundering network used by North Korean attackers was dismantled and CREAM got most of their funds back.

Let’s dive into the news, but first a special thank you to all of the Gitcoin Grant supporters. You folks rock!

News

• Mastercard acquires CipherTrace, a blockchain forensics company.

• Ghaleb Alaumary sentenced to 11 years in jail for laundering funds such as those coming from a banking heist by North Korean actors.

• CREAM Finance attackers partially returned stolen funds.

Hacks

• On September 12, 2021 Zabu Finance, an Avalanche-based DeFi project, lost $3.2 after an attacker exploited a bug in its Transfer Tax logic.

Vulnerabilities

• Mango Markets, a Solana-based DeFi project, patched a critical vulnerability in the token sale pool after receiving a responsible disclosure notification.

Research

• Smart Contract Security Guidelines #3: The Dangers of Price Oracles.

• Yearn Finance published an excellent thread on the tooling and processes used to manage smart contract security risks.

• EthClipper: A Clipboard Meddling Attack on Hardware Wallets with Address Verification Evasion discusses a social engineering technique to serve fake addresses which look similar to the legitimate ones.

• Clockwork Finance: Automated Analysis of Economic Security in Smart Contracts introduces a new formal verification framework.

• Elysium: Automagically Healing Vulnerable Smart Contracts Using Context-Aware Patching explores a novel, expandable tool which can be integrated into compilers to automatically eliminate vulnerability classes.

• A different perspective on smart contract security-solidity reverse discusses the use of reverse engineering in smart contract exploit analysis.

• Ethereum: the Messaging App covers multiple methods of communicating over the Ethereum network such as the use of payload field used by the PolyNetwork attacker.

Tools

• Solidity Shell by Consensys Diligence makes it easy and fun to experiment with Solidity snippets.

Help support BlockThreat!

Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed, stay safe and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

Welcome to BlockThreat!

A relatively quiet week with just a few reports of NFT scam campaigns resulting in millions in losses. Alarming trends of yet another reentrancy exploit and previously exploited projects getting successfully attacked again. Enjoy this rare week of sub-$10M losses to catch up on a few great research articles below.

Scams

• An elaborate Banksy NFT scam almost cost a user $336K after Banksy website was compromised with a fake advertisement.

• A phishing attack targeting Aurorian NFT project on Solana results in users’ wallets getting emptied.

• Demystifying Scam Tokens on Uniswap Decentralized Exchange.

Hacks

• On September 2nd, 2021 Siren Protocol reentrancy bug was exploited which resulted in the loss of $3.5M worth of tokens.

• On September 3rd, 2021 DAO Maker lost $4M after an attacker was able to reinitialize the token and empty funds.

Research

• Chainalysis shared a report on Eastern Europe’s Crypto Crime Landscape.

• Blockchain Vulnerabilities in Practice by Nils Amiet (Kudelski Security).

• SMTChecker: (almost) practical superpower by Owleksiy.

• How We Proved the Eth2 Deposit Contract Is Free of Runtime Errors Consensys.

Help support BlockThreat!

Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed, stay safe and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

Welcome to BlockThreat!

SushiSwap payed out a $1M bounty for a responsibly disclosed critical bug. Other DeFi projects promote bounties up to $2.5M. In comparison, zero day marketplaces pay $2.5M for full exploit chains in iOS and Android phones with an added requirement to not share bugs with manufacturers. Responsible disclosures are only in the $250K range for similar bugs. Is it only a matter of time before hobbyist criminals are replaced by seasoned grey hats who realized that the economics of DeFi exploits makes it a far more profitable enterprise?

Coordinated disclosure is really tricky. Ethereum and other compatible networks experienced networks splits after an attacker figured out a vulnerability in a hotpatch and launched an exploit before most nodes upgraded. In other news, Bilaxy exchange reported a hotwallet compromise, several DeFi projects experienced repeat hacks, new scammer technique targets Metamask users, and more in this week’s edition.

As a reminder, you can find post-mortem and exploit analysis archives of DeFi, exchange, blockchain, and other incidents in the OpenBlockSec Incidents repo. Feel free to send PRs to keep it up to date and complete!

News

• DeFiYield launched Rekt Archive, a DeFi security incident database.

• Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents.

Hacks

• On August 25, 2021 Dot Finance lost $429K after a reward calculation vulnerability was exploited using a flash loan.

• On August 27, 2021 Ethereum, BSC, and HECO networks experienced chain splits after CVE-2021-39137 vulnerability was exploited.

• On August 28, 2021 Bilaxy Exchange hotwallet was compromised which resulted in the loss of $21M.

• On August 29, 2021 xToken lost $4.5M after a function access control error was exploited by an attacker.

• On August 30, 2021 CREAM Finance reentrancy vulnerability was exploited which resulted in the loss of $18.8M.

Vulnerabilities

• Tidal Finance patched a logic error vulnerability after it was responsibly disclosed by Csanuragjain.

• OpenZeppelin patched a critical reentrancy vulnerability in TimelockController after it was responsibly disclosed by Zb3 through Immunefi.

Scams

• Reports of an ongoing scam campaign tricking users into exposing their Metamask QR code.

Ransomware

• Ragnarok ransomware gang shuts down and releases a free decrypter.

• FBI issued a flash report on OnePercent ransomware group.

Research

• Hacker-Powered Security and DeFi: How Human Intelligence Improves Cryptocurrency Security by HackerOne interview with Sam.

• Top DeFi and Blockchain Security Issues by Halborn.

• Tracking the Stolen Assets from the Liquid Exchange Hacking by Sentinel Protocol Team.

Help support BlockThreat!

Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed, stay safe and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

Exchange hot wallet compromises have been getting more and more rare in recent years as security practices continued to mature. Unfortunately, Liquid Exchange broke this pattern in a massive $94M hack perpetrated by well prepared attackers. SushiSwap narrowly avoided a $350M hack thanks to a timely report by samczsun. Solana experienced a (possibly first) DeFi hack. Last but not least, expect to see an increase in exchange account takeovers after a massive T-Mobile hack.

Let’s dive into the news, but first a special thank you to Oak Security which sponsored this week’s edition:

Oak Security focuses on third-generation blockchains and blockchain interoperability. Oak’s client base has a combined market cap of over $10 billion. The company specializes in Terra, Cosmos, Polkadot, and Flow security, and is the leading provider of CosmWasm security audits. Oak security is growing and hiring new auditors.

News

• T-Mobile breach exposed names, addresses, social security numbers, drivers license, and other sensitive data of up to 50M customers. The incident will likely result in increased SIM swapping and account takeover attacks targeting financial institutions including cryptocurrency exchanges.

• Five BitConnect promoters paid a combined penalty of 190 BTC and $3.5M in a settlement with SEC.

• Helix mixer operator pleads guilty, forfeits 4.4K BTC and other assets.

• Ransomware gangs solicit disgruntled employees in a profit sharing scheme to install malware on their company’s machines.

Hacks

• On August 16, 2021 xSurge reentrancy vulnerability was exploited which resulted in the theft of $4M worth of BNB.

• On August 18, 2021 Liquid Exchange announced that its warm wallets were compromised after $94M were stolen from its Bitcoin, Ethereum, Tron, and Ripple wallets. In what appears as a highly planned operation, attackers quickly exchanged stolen assets on centralized and decentralized exchanges.

• On August 18, 2021 Pinecone Finance lost $17.5K after the attacker bypassed transaction validation implemented in the front-end.

• On August 19, 2021 Solend, a Solana based DeFi project, lost $16K as a result of an insecure authentication check.

• On August 21, 2021 Sentinel reported a theft of $1M worth of DVPN tokens after a mnemonic phrase was leaked during a swap with HitBTC exchange.

Vulnerabilities

• SushiSwap patched a critical vulnerability in the DutchAuction contract caused by incorrect handling of msg.value after it was responsibly disclosed by samczsun. $350M were rescued by force halting the auction.

• Pods Finance patched a yield theft vulnerability after it was responsibly disclosed by Csanuragjain.

• xDai patched an arbitrary method call vulnerability after it was responsibly disclosed by 0xadee028d.

• Polygon patched a DoS vulnerability in its StakeManagerProxy and StakeManager contracts after it was responsibly disclosed by Ashiq Amien.

Media

• Decyphered Video Series by Halborn covers the latest blockchain hacks.

• Ransomware: Last Week Tonight with John Oliver 

• Auditing Smart Contracts Live with Mudit Gupta

Research

• RansomClave: Ransomware Key Management using SGX research explores ransomware use of secure enclave to store decryption keys.

• Mitigating Miner Extractable Value (MEV) with Gnosis Safe by Tobias Schubotz (Gnosis)

• Tradeoff Between Convenience and Security: Unlimited Approval in ERC20 by BlockSecTeam explores risks and incidents caused by infinite approvals.

Help support BlockThreat!

Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed, stay safe and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)