Four separate DeFi projects were exploited last week with $30M worth of crypto stolen, GoDaddy had its own Twitter moment with multiple cryptocurrency-related projects attacked, scammers are getting creative with DEX, and more in this week’s edition of Blockchain Threat Intelligence.

Crime

• Social engineering campaign targeting GoDaddy employees used to attack multiple cryptocurrency businesses including NiceHash, Liquid Exchange, and others.

• Scammers are creating fake liquidity pools on DEXs such as Uniswap to trick users into purchasing doppelgänger tokens. For example, a fake Deriswap token was created and immediately deployed on Uniswap. Within minutes, the scammer made off with a ~92 ETH profit.

Hacks

• On November 21, 2020 Pickle Finance’s pDAI PickleJar was hacked which resulted in the loss of 19.76M DAI. A whitehat team was able to quickly analyze and replicate the exploit and help Pickle Finance implement mitigations. Interestingly, the loss was covered by COVER protocol insurance.

• On November 18, 2020 NiceHash’s DNS records were taken over by attackers. The hack is the latest in the series of attacks on cryptocurrency projects hosted on GoDaddy.

• On November 17, 2020 two separate vulnerabilities were discovered in the 88mph project. The first money printing bug was exploited by an unknown attack and resulted in a $100K loss. The second vulnerability was responsibly disclosed by samczsun and used to rescue the remainder of funds in the Uniswap pool.

• On November 16, 2020 Origin Protocol contract was exploited using a reentrancy vulnerability in the mint logic. The attack resulted in a $7.7M loss.

• On November 16, 2020 A price oracle weakness in the Cheese Bank DeFi contract was exploited using a flash loan attack which resulted in a $3.3M loss.

• On November 13, 2020 Liquid exchange’s DNS record was taken over by an attacker through social engineering of GoDaddy. The compromise may have resulted in the loss of login and personal information.

Research

• Modelling Attacks in Blockchain Systems using Petri Nets.

• Demystify the dark forest on Ethereum - Sandwich Attacks.

Competitions

• 0xPOLAND is an ongoing competition challenging players to crack open a puzzle in a smart contract.

Stay informed, stay healthy, and see you next week!

-Peter

Not too much calm on the Ethereum network this week. No only did we experience two DeFi project hacks resulting in multi-million losses, the network itself ran into a chain split after someone was playing with a silently patched vulnerability in older Geth clients. Monero reported an attempted Sybil attack, KuCoin got more tokens to fork themselves to return stolen funds, bugs are slowly getting squashed in ETH 2.0 clients, and more news in this week’s edition of Blockchain Threat Intelligence.

Hacks

• On November 14, 2020 Value DeFi developers reported that their smart contract was exploited which resulted in a loss of about 7.4M DAI. Interestingly the attack came shortly after Value DeFi tweeted about project’s invulnerability to Flash-loan attacks. Following the hack, the attacker returned 2M DAI with a taunting note questioning the earlier tweet. The attacker returned 95K more DAI after hearing on-chain user pleas.

• On November 12, 2020 Akropolis DeFi project was exploited resulting in a loss of 2M DAI through a reentrancy vulnerability.

• On November 11, 2020 Ethereum network split after a bug in older versions of Geth was triggered by Optimism developers. In the incident post-mortem, Geth developers not that the vulnerability was silently fixed in Geth v1.9.17 released on July 20th, 2020. The split affected critical Ethereum projects using outdated node software such as Infura and caused some exchanges to suspend withdrawals.

• On November 10, 2020 Monero blockchain underwent a Sybil attack which did not appear to be effective.

• KuCoin reported that 84% of the stolen funds were now returned. The recovery was made possible by a large number of Ethereum token asset issuers who had to perform token swaps and forks to claw back stolen the funds.

Vulnerabilities

• A DoS vulnerability was discovered in Geth caused by CVE-2020-28362 in a Go standard library.

• A vulnerability was discovered in Solidity compiler which may allow specially crafted storage fields to inject data into memory.

• Two consensus vulnerabilities were discovered in a ETH 2.0 Prysm client.

Malware

• Fake Uniswap mobile app was listed on Google Play Store. The app asked users for their mnemonic phrase to steal their funds.

Research

• CipherTrace report on DeFi security incidents notes almost $100M worth of crypto were stolen or hacked in 2020.

• Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited.

• Tracking Counterfeit Cryptocurrency End-to-end.

Tools

• Miao - EVM Transaction Decoder

• ETH 2.0 Fork monitor

Competitions

• Damn Vulnerable DeFi Wargame Setup and Walkthrough.

• Donjon CTF by Ledger.

Media

• CBC’s “The FBI Declassified” featured an episode on the Silk Road takedown.

That’s all for this week in Blockchain Threat Intelligence. Stay healthy, stay informed and see you next week!

-Peter

This week marks the largest forfeiture of cryptocurrency assets in history with ~$1B worth of bitcoin stolen from Silk Road voluntarily returned to IRS. Grin network came under 51% attack with hash capacity likely rented on Nicehash, BSV P2PKH multi-sig wallet implementation exploited to steal funds, Ethereum had an ETHash bug, and more of the usual DeFi shenanigans in this week’s edition of Blockchain Threat Intelligence.

Crime

• US Government Agencies seize more than $1B in cryptocurrency connected to the darknet market Silk Road. According to the US DoJ release, 69,370.22491543 BTC (and forks such as BCH, BSV, and others) were voluntarily transferred to IRS by an individual who has previously stolen those funds from Silk Road. While the Silk Road hacker will remain free and anonymous, it is still odd that he or she came forward only 7 years after the hack.

• US DoJ seized $24M worth of cryptocurrencies held by a cryptocurrency firm to assist Brazilian authorities with the “Operation Egypto” investigation into a $200M crypto fraud scheme.

• Huobi COO Zhu Jiawei was reported to be under police investigation following a series of BTC and USDT withdrawals from the exchange.

• Binance helps recover $344K worth of crypto stolen by the Wine Swap DeFi project on Binance Smart Chain (BSC).

• Former Cryptopia exchange employee charged with stealing $250K worth of crypto.

• ISIS supporter caught sending bitcoin to help terror organization.

Hacks

• On November 7, 2020 GRIN network came under 51% attack where multiple blocks were reorged. Additional analysis points to NiceHash as the source of rented hashrate capacity necessary for the attack. It is not known if any of the exchanges were double spent as a result of the attack on the privacy coin.

• On November 7, 2020 a vulnerable implementation of the multi-sig wallet on BSV network was exploited to steal 600 BSV. The vulnerability was caused by the use of P2PKH accumulator multisig by the ElectrumSV wallet which can be unlocked with zero signatures.

• On November 2, 2020 Axion Network smart contract was compromised when an attacker minted 80B AXN tokens and exchanged them for 348 ETH ($133K). According to Certik, which has previously audited the contract, the malicious minting code was added after the audit.

Vulnerabilities

• An integer overflow vulnerability in Ethash library used by Ethereum and Ethereum Classic projects resulted in valid blocks getting rejected destabilizing the network. The vulnerability was responsibly disclosed by 2miners pool operators and Lolliedieb.

• A coding error resulted in $1M worth of crypto was permanently locked by Percent Finance, a Compound fork.

Malware

• Analysis of Ledger phishing email and fake client malware by SerHack.

• CAPCOM was attacked by Ragnar Locker ransomware group which stole 1TB of private data and demanded $11M worth of BTC for a decryptor.

Research

• Rescuing Schrodinger’s Cat in DeFi Dark Forest - an incident response writeup by the Anchain team to recover 1.2M staked USDC from a hacked wallet without tipping off the attacker.

• So you want to use a price oracle - Everything you need to know about price oracles and how to use them safely by samczsun.

• Why Proof of Stake by Vitalik Buterin.

Media

• DeFi Attack Vectors by Jamie Burke and Julien Bouteloup.

Thanks for joining me this week in blockchain threat intelligence news and see you all next week.

-Peter

Catching up on blockchain security news can be overwhelming. In this week’s edition we cover multiple hacking incidents, vulnerabilities in DeFi and crypto wallet projects. So with out further ado let’s dive in! Oh and don’t mine crypto at work especially if you work at an airport or a nuclear power station.

Crime

• Multiple hospitals were infected with ransomware. An earlier CISA report points to an ongoing campaign using TrickBot and BazarLoader malware to target more than 400 medical facilities.

• Dutch policed seized 2500 BTC in a money laundering investigation.

• BitMEX officials allegedly 'looted' $440 million from exchange after learning about U.S. charges, per lawsuit filing.

Hacks

• On November 1, 2020 Tron network was halted after its node infrastructure was attacked. Tron Foundation did not share any additional information about the exploit.

• On October 28, 2020 Cred, a crypto lending service, announced that all deposits and withdrawals will be paused without citing pending law enforcement investigation into handling of corporate funds by a perpetrator.

• On October 26, 2020 Ethercrash cold wallet was compromised with 6378 ETH stolen. The stolen funds were exchanged to DAI on Uniswap.

• On October 27, 2020 President Trump’s campaign website defaced with a message to cast a vote to release private data by sending Monero to two addresses corresponding to a YES or a NO.

Vulnerabilities

• A flash loan vulnerability was responsibly disclosed to the Yearn team which quickly patched it. The issues was caused by the lack of slippage checks in the TUSD deposit handling function.

• A flash loan was used to pass a proposal on MakerDAO. While the party behind the vote was legitimate and the vote did not cause a negative outcome, this transaction illustrates a previously discussed governance risk on the Maker platform.

• SushiSwap farming arbitrage exploit is being continuously exploited by whales.

• Magma, a Tezos blockchain wallet, patched a critical security update for their Android app. No additional vulnerability information was shared.

Phishing

• Backdoored online BIP39 tools website secretly record generated mnemonic phrases.

Research

• Deanonymizng the Kucoin Hacker tracks attackers through Tornado Cash mixer to a deposit on Binance.

• Smart Contract Fuzzing - How to find edge cases with echidna.

• DeFi Is Growing at Warp Speed, But Regulatory Status and Compliance Requirements Remain Unclear by Chainalysis.

• Flash Mint Arbitrage testnet payloads.

Tools

• Harvey: A greybox smart contract fuzzer.

• OpenZeppelin Defender, a smart contract security operations platform.

Media

• Bitcoin and the End of History, the final installment in a four part documentary series about cypherpunks.

That’s all for this week in Blockchain Threat Intelligence. Be sure to check out /r/BlockSec for more up to the minute news and see you all next week.

-Peter

Phishing scams are on the rise with Office 365 and Ledger customers targeted last week. Old school SS7 exploits are still successfully used to take over email accounts belonging to folks in the industry. Another day, another DeFi project arbitraged for a few million stable coins and more in this week’s edition:

Crime

• Telegram and email accounts of high profile individuals in the crypto industry were hijacked by exploiting vulnerabilities in SS7 telco switches.

• A phishing campaign on Office 365 customers is using Coinbase themed emails in an attempt to take over their email accounts. Attackers are most likely trying to target users associated with the cryptocurrency exchange.

• Reports of a phishing campaign targeting Ledger users with a prompt to download an updated version of Ledger Live desktop software. It may be related to a recent leak of up to 1M email addresses belonging to Ledger customers.

• Finnish psychotherapy center patients are being extorted 200 euros in BTC to keep their stolen data private.

Hacks

• On October 25th, 2020 an arbitrage weakness in Harvest Finance was exploited to profit an attacker about $24M worth of USDC and USDT. Following the hack, the attacker has transferred gained to funds to the following bitcoin addresses using REN Protocol:
  
  1Paykw4s2WX4SaVjDrQkwSiJr16AiANhiM
  1HLG86DDEzAxAGmEzxr1SUfPCWcnWA6bMm
  14stnrgMFNR4LesqQRUdo5n1VUx9xdAMeg
  18w2Bm2cCsbLjWQU9BcnjzK8ErmzozrVa3
  1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS
  1NdAJ89k1qpRMpZLwuYGQ7VnM45xD2NJXa
  1CLHhshrusvT4XADWA29R2H4ndsSUamEWn

Vulnerabilities

• A reentrancy vulnerability was discovered and responsibly disclosed in BurgerSwap DeFi service hosted on Binance Smart Chain.

Research

• Financial Attacks on Democracy is a nice survey of using cryptocurrency to finance bad actors in the last election cycle.

• How This DoJ Strike Force Hunts Down Cryptocurrency Criminals

• Efficient audits with machine learning and Slither-simil

• Smart Contract Hacking Final Free Chapter - Hacking Games Via Bad Randomness Implementations on the Blockchain.

Thanks for joining me this week, stay healthy, and see you all in another edition next week!

-Peter