BlockThreat - Week 43, 2020

Harvest | BurgerSwap | SS7 | Office 365 | Ledger

Phishing scams are on the rise with Office 365 and Ledger customers targeted last week. Old school SS7 exploits are still successfully used to take over email accounts belonging to folks in the industry. Another day, another DeFi project arbitraged for a few million stable coins and more in this week’s edition:

Crime

Hacks

  • On October 25th, 2020 an arbitrage weakness in Harvest Finance was exploited to profit an attacker about $24M worth of USDC and USDT. Following the hack, the attacker has transferred gained to funds to the following bitcoin addresses using REN Protocol:

    1Paykw4s2WX4SaVjDrQkwSiJr16AiANhiM
    1HLG86DDEzAxAGmEzxr1SUfPCWcnWA6bMm
    14stnrgMFNR4LesqQRUdo5n1VUx9xdAMeg
    18w2Bm2cCsbLjWQU9BcnjzK8ErmzozrVa3
    1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS
    1NdAJ89k1qpRMpZLwuYGQ7VnM45xD2NJXa
    1CLHhshrusvT4XADWA29R2H4ndsSUamEWn

Vulnerabilities

Research

Thanks for joining me this week, stay healthy, and see you all in another edition next week!

-Peter

BlockThreat - Week 42, 2020

OKEx | Helix | SushiSwap | ETC | Solidity

A relatively quiet week with news of arrests and fines popping up from law enforcement agencies from across the world. IOHK published a very interesting whitepaper on 51% attacks, future SushiSwap clones have an interesting backdoor to exploit, brainwallets are still a really bad idea, politicians are stealing government’s electricity to mine crypto and other news in this week’s edition.

News

Vulnerabilities

Research

Competitions

Fun

Cheers!

-Peter

BlockThreat - Week 41, 2020

UniCats | Blue Kirby | SushiSwap | Curve

The rise of popularity in DeFi projects has also brought a new wave of scams and scammers. We will focus on three different examples ranging from traditional confidence scams to more technical backdoored smart contracts. OpenEthereum and ETH2 have announced bug bounty programs. TeamTNT is fighting other cryptojackers with their Black-T malware and other news in this week’s edition.

News

  • Cryptocurrency Enforcement Framework was published by DoJ. The report focuses on crimes involving cryptocurrency (e.g. drug dealing), money laundering, and theft of cryptocurrency. The report also outlines threats posed by the nation states such as North Korea and Iran.

Scams

Vulnerabilities

Malware

  • Black-T malware targets weak AWS accounts to mine Monero. The sample proactively disables any competing miners on the compromised hosts.

Research

That’s all for this week in Blockchain Threat Intelligence. Be sure to check out /r/BlockSec for more up to the minute news and see you all next week.

-Peter

BlockThreat - Week 40, 2020

BitMEX | Eminence | KuCoin | REvil

BitMEX is in a serious trouble with U.S. DoJ with one of the co-owners arrested. No more ransomware payments unless you want OFAC to come after you for financing North Korean nukes. DeFi hackers stole so much that they have started voluntarily returning half of their stolen loot. Ethereum miners caught in MEV schemes and other excellent research articles in this week’s edition.

News

Hacks

Vulnerabilities

Malware

Events

  • Solidity Underhanded Contest is a competition to obfuscate malicious code in Solidity smart contract. This year’s theme is upgradable contracts.

Research

  • MEVs are coming tweet storm by @FrankResearcher reveals real world examples of Ethereum miners engaging in execution arbitrage. Miner Extractable Value (MEV) were first discussed in Flash Boys 2.0 paper on front-running transactions.

  • EMN Exploit case study implements a complete exploit used to attack Emminence.Finance contract.

  • Check out Smart Contract Hacking training series blog posts, Github repo, and YouTube channel.

  • A DoS attack vector against Eth2 nodes using time servers. The attack works by setting node time far into the future using malicious NTP servers and also broadcasting future state from attacker validators. Once the target node signs a future attestation it will remain in locked state until some time in the future.

That’s all for this week in blockchain threat intelligence! As a reminder, I am participating in the latest round of Gitcoin Grants so would appreciate your support. Stay safe and see you all next week.

-Peter

BlockThreat - Week 39, 2020

KuCoin, Lien, Alien, Teatime, Pool Detective

A tough week for the Singaporean exchange KuCoin which suffered a major $281m hack. On the bright side, Lien Finance’s smart contract was preventively hacked to save $9.6m worth of ETH which also resulted in a fascinating article in the research section on beating front-running bots. This week’s edition features a lot more excellent papers, new tool releases, and two new blockchain security competitions. In other news, folks should really reconsider mining crypto on their employer’s supercomputers.

Hacks

Malware

  • Alien android malware family is targeting Coinbase, Blockchain.com, Luno, other cryptocurrency and banking wallet apps to steal credentials, control and steal SMS messages, and other trojan functionality.

Research

Projects

Competitions

  • DeFi Detectives is another live CTF by folks challenging players to hunt down Uniswap hackers and investigate SushiSwap’s exit scam.

  • Damn Vulnerable Defi wargame by OpenZeppelin’s tincho challenges players to sharpen their defi skills.

That’s all for this week in blockchain threat intelligence! As a reminder, I am participating in the latest round of Gitcoin Grants so would appreciate your support. Stay safe and see you all next week.

-Peter

Loading more posts…