BlockThreat - Week 11, 2021
TSD | CREAM | PancakeSwap | Nifty | Iron Finance | SIL Finance
|Peter Kacherginsky||Mar 30|
This week we saw traditional appsec threats creep into the crypto world after a couple of DeFi projects lost control over their DNS infrastructure and NFTs getting stolen as a result of good ole’ account takeovers. On the blockchain layer we had a small scare where a block explorer reported a double spend on FileCoin only to conclude that it was just an exchange not using node API correctly. Last but not least check out news of the upcoming QuadrigaCX documentary in the Media section.
Ethereum Foundation announced a bounty for the upcoming ETH2 beacon chain. It includes a wide range of beacon chain targets and attack vectors.
A Hacker Got All My Texts for $16 exposes a a major flaw in mobile phone operators allowing anyone to reroute SMS from arbitrary phone numbers.
Nvidia Beta Driver accidentally removes cryptocurrency mining limiter from GeForce RTX 3060 video cards.
Romanian authorities arrested an individual responsible for $620K theft from an unknown exchange.
On March 13, 2021 True Seigniorage Dollar DAO was taken over by attackers after they acquired a majority stake. This allowed attackers to deploy an upgrade which was used to mint and later sell 11.8B TSD tokens.
On March 15, 2021 Nifty Gateway reported that a number of NFTs were stolen after user accounts were compromised on their platform.
On March 16th, 2021 Iron Finance vFarm reward misconfiguration resulted in the loss of 170K worth of SIL tokens.
On March 18, 2021 SIL Finance contract permissions vulnerability was exploited by a trading bot which resulted in the loss of $12.1M worth of SIL tokens. The anonymous bot operator returned all of the funds.
Binance was double crediting FileCoin deposits due to incorrect usage of the node API. The issue briefly incorrectly identified as a double spend.
Solidity patched a vulnerability in Keccak256 opcode handling.
Binance Smart Chain TurtleDEX rug pulled on its investors within hours of launch. $2.5M worth of BNB tokens were quickly exchanged on Binance.
A Year in the Life of a Compiler Fuzzing Campaign is the latest update in Trail of Bits’ long running hunt for bugs.
Illegal Content and the Blockchain by Bruce Schneier explores threats to the blockchains introduced by hidden messages stored inside.
Wrecking sandwich traders for fun and profit is an article about a honeypot for MEV sandwichers.
Tackling Cross Site Scripting with Smart Contracts discusses injection threats and mitigations on DApps.
Help support BlockThreat!
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.
Stay informed and see you in the next week’s edition!
- Peter Kacherginsky (iphelix)