Welcome to BlockThreat!
This week’s edition is jam packed with post-mortems, vulnerabilities, research papers, and the latest in blocksec news. A truly bizarre hack happened involving the Kia Sedona auction on SushiSwap with all of the funds returned after the attacker received a miso soup delivery along with a not so friendly legal call. IRS is at it again soliciting exploits for hardware wallets, another cross-chain protocol loses $12.5M, new cryptominer malware family, and more in this never dull space. You can find all of the incidents below in the OpenBlockSec incidents directory.
Let’s dive into the news, but first a special thank you to all of the Gitcoin Grant supporters as well as Breadcrumbs.app who sponsored this week’s edition:
Events
September 23rd, 11:00 AM ET - The Women to Know in Investigations hosted by Chainalysis.
News
Internal Revenue Service contracted VTO Labs to help it exploit hardware wallets with the purpose of obtaining account and other forensic data.
UC San Diego student indicted for a SIM swapping and extortion scheme with the help of a cell phone company employee.
Bitcoin address involved in the 2014 Mt.Gox hack reactivated after 7 years.
REvil ransomware master decrypter released for all victims.
Hacks
On September 10, 2021 Electroneum customer database was breached which may have exposed users ETN wallet addresses, password hashes, PINs, email addresses, phone numbers and other sensitive data.
On September 14, 2021 SecretSwap, a Secret Network DEX, was successfully exploited. No additional details about the hack are available.
On September 14 2021 Ethereum network witnessed a broadcast of ~550 specially crafted, invalid blocks. The minority of Nethermind nodes forked to an invalid chain.
On September 15, 2021 NowSwap Protocol logic error vulnerability was successfully exploited which resulted in the $1M loss.
On September 16, 2021 Defibox, an EOS-based DeFi project, was successfully exploited which resulted in the theft of ~$24K worth of EOS.
On September 17, 2021 SushiSwap MISO auction was hacked in a supply chain attack which resulted in the theft of $3.1M worth of ETH. In a truly bizarre twist all of the funds were returned after the perpetrator was identified and received a miso soup order to his home address along with a call from a lawyer.
On September 18, 2021 Reddit user Reckless_Satoshi demonstrated a routing fee siphoning attack against Bitfinex, OKex, Muun, LNMarkets, Southxchange, WalletOfSatoshi projects.
On September 19, 2021 pNetwork, a cross-chain protocol, backend log parsing vulnerability was exploited resulting in the theft of $12.5M worth of BTC on Binance Smart Chain bridge.
Vulnerabilities
Trezor fixed a security issue for Stellar coin on Trezor Model One.
OpenZeppelin issued a patch and preemptively initialized 170+ UUPS Proxy smart contracts across Ethereum, Polygon, xDAI, BSC, and Avalanche after a critical vulnerability in the UUPS proxy pattern was disclosed independently by Raymond Yeh and Ashiq Amien.
Yearn patched a bug which could allow an escrow contract to be re-initialized if the ownership is renounced.
Pancakebunny patched a critical vulnerability in polyBUNNY zap function after it was responsibly disclosed through Immunefi.
EthGlobal patched a persistent XSS vulnerability after it was responsibly disclosed by Elyx0
Scams
New scam campaign targeting OpenSea sellers with phishing emails.
Malware
Capoae cryptominer malware targets vulnerable Wordpress, Jenkins, WebLogic, and ThinkPHP linux servers.
Other Incidents
On September 7, 2021 OpenSea bug resulted in 42 NFTs getting sent to to a burn address.
On September 12, 2021 Yam Finance accidentally minted 20B YAM.
On September 17, 2021 Arbitrum Sequencer halted as a result of a bug.
On September 15, 2021 Solana consensus protocol halted after the network was flooded with bot transactions.
Research
Identifying Ransomware Actors in the Bitcoin Network using machine learning with 85% accuracy.
What’s in Your Wallet? Privacy and Security Issues in Web 3.0.
Uncover the mystery of flash loans by Knowsec Blockchain Lab.
How to Get a Bigger Bounty by Optimizing Attack Parameters by Immunefi.
OpenZeppelin Smart Contract Security Guidelines and Live Sessions by OpenZeppelin.
Tools
Breadcrumbs blockchain analytics tool comes out of beta.
Consensys Diligence announces Fuzzing tool.
Help support BlockThreat!
Over the past two years, BlockThreat has gained more than a thousand followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.
Stay informed and see you in the next week’s edition!
- Peter Kacherginsky (iphelix)