BlockThreat - Week 24, 2021
Ledger | Clop | Alchemix | Visor | Impossible | BeetsFarm | Iron Finance
Never a dull week in blockchain security! Scammers have really stepped up their game by physically mailing backdoored Ledger hardware wallets, NFT creators targeted with cryptostealer malware, multiple DeFi projects compromised due to design and operational weaknesses, and of course a massive bank run on a stablecoin with weak bad stabilization design wiped out $2B in value. On the bright side, Ukranian cyber police locked up six actors associated with Clop ransomware and we have a couple of great DeFi security panels and workshops featured in this week’s edition.
Ukraine arrested members of Clop/FancyCat ransomware group which helped launder profits from Cl0p and Petya ransomware campaigns. Binance, TRM Labs, and Crystal (BitFury) assisted various law enforcement agencies with the bust.
REvil ransomware hit US nuclear weapons contractor Sol Oriens. Several internal documents were posted on REvil’s Happy Blog as evidence.
DeFi Summit - DeFi Security Threats & Economic Hacks with Rob Behnke, Steven Walbroehl (Halborn), Will Shahda (APY.Finance), & Peter Kacherginsky (Coinbase)
HackMoney - DeFi Security Panel with Mariano Conti, Sam Sun, Maurelian, Emiliano Bonassi, Martin Abbatemarco.
HackMoney - Flashbots: Finding & Capturing MEV 101 with thegostep and Robert Miller.
Source Code - EP162 - How ransomware boomed and where it goes next.
BeetsFarm Finance project stole $100K+ users funds after calling a backdoored emergency withdraw function.
Ledger users targeted with a backdoored hardware wallet mailed to their physical addresses likely obtained in the recent leak.
Reports of an ongoing phishing campaign targeting NFT creators with malware to steal wallet keys.
On June 16, 2021 Alchemix Finance reward calculation logic vulnerability which allowed users to withdraw collateral without paying off loans. The vulnerability was exploited which resulted in the loss of $6.53M. Alchemix has since launched a voluntary return program for those who benefited.
Zapper patched a critical vulnerability which allowed arbitrary call payloads to their contracts after it was responsibly disclosed by Lucash-dev using Immunefi platform.
On June 16, 2021 Iron Finance experienced a bank run when a weakness in the stabilization mechanism pushed the price of TITAN token to 0. The crash has famously affected Mark Cuban who called for DeFi regulation.
From 0 to mainnet in some week? thread by @tinchoabbate outlines key security pitfalls in DeFi projects racing to launch.
Help support BlockThreat!
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
Stay informed and see you in the next week’s edition!
- Peter Kacherginsky (iphelix)