BlockThreat - Week 21, 2021
Belt Finance | BurgerSwap | Wild Credit | JulSwap | Merlin | AutoShark | Geth
|Peter Kacherginsky||Jun 4||2|
Almost $17M were stolen this week across various DeFi projects with losses primarily generated by various Pancake Bunny clones on the Binance Smart Chain. Things got so bad that Binance issued a call for action to get developers to adopt secure engineering practices. Crypto Core APT was linked with the Lazarus group further solidifying North Korea’s place as the primary threat to cryptocurrency exchanges around the world. This edition also features lot’s of excellent research papers, podcasts, and talks, but be sure to check out samczsun’s excellent write up on the critical Geth bug. With that grab some coffee, this is going to be one of the larger editions!
Proactive defense for DeFi protocols: Security as a never-ending process workshop on June 4th 12:30pm UTC+0 by Immunefi
Binance Smart Chain experienced 8+ DeFi hacks in the past few weeks prompting an official call for action to increase project security.
On May 29, 2021 Belt Finance price calculation method was exploited using flashloans to steal $6.2M.
On May 27, 2021 Wild Credit contract allowed it to be reinitialized which resulted in the theft of $700K. Luckily the attacker was front-run by a bot which returned stolen funds back to the project.
On May 26, 2021 Merlin Labs, a Pancake Bunny clone on BSC, was exploited twice using the same performance minting and a new incorrect price calculation vulnerabilities resulting the loss of $680K and $540K respectively.
On May 24, 2021 AutoShark Finance, a Pancake Bunny clone on BSC, reward mechanism was exploited using a flashloan which resulted in the loss of $750K (2.2K WBNB tokens).
Geth patched a critical vulnerability which could have resulted in a hard fork after it was responsibly disclosed by samczsun.
CryptoJacking —Journey of How Cryptomining Turned Evil? by Rakesh Krishnan discusses cryptojacking tactics and major campaigns.
Crypto’s Existential Threat MEV Panel with Phil Daian, Georgios Konstanopolus, Charlie Noyes
MEV front-runners and arbitrage by Anatol Prisacaru
FlashBots: How to make $1m per month as a Solidity developer with Stephane Gosselin & Robert Miller
Community DeFi Bug Hunt by Carl Farterson
Hacks Averted by Duncan Townsend
Elliptic released its Sanctions Compliance in Cryptocurrencies report which discusses evasion techniques including mixers, DEXes and no-KYC exchanges, privacy coins or just mining new coins themselves.
Flashpoint released Investigating Hydra: Where Cryptocurrency Roads All Lead to Russia and Go Dark report calling attention to increased cryptocurrency activity on the marketplace.
What to Do After You’ve Been Hacked by Immunefi helps DeFi projects create an incident response plan.
There is Light in the Dark Forest by bloXroute discusses MEV risks and a new BackRunMe service to help users submit private transactions.
An interesting honeypot contract found by Robert Miller (@bertcmiller)
Large collection of smart contract audits by DeFiYield.
Maximizing Your Arbitrage: Flash Loans by Patrick Collins
Understanding Security Risks in DeFi by CertiK
Ape Framework - The DeFi development tool for Pythonistas, Data Scientists, and Security Professionals.
Ethernal - a private blockchain explorer for EVM-based chains.
Help support BlockThreat!
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
Stay informed and see you in the next week’s edition!
- Peter Kacherginsky (iphelix)