Welcome back to the Blockchain Threat Intelligence newsletter! After a brief vacation, I’m catching up with the world of blocksec which never stops to amaze me. This week we witnessed a relatively rare minting exploit in a blockchain protocol which resulted in the loss of more than $4.5M. On the more traditional DeFi side, Merlin was exploited yet again with the now common reward calculation bug followed by NFTX marketplace losing 2 CryptoPunks due to a logic error.
Let’s dive into the news, but first a special thank you to Trail of Bits which sponsored this week’s edition:
On June 22, 2021 Haven Protocol, a Monero fork, suffered multiple attacks exploiting four different vulnerabilities over the period of 7 days which resulted in $4.5M worth of assets being incorrectly minted. Most of the newly minted xBTC and xUSD coins have already been liquidated on KuCoin and TradeOgre exchanges. On July 19, Haven Protocol scheduled a hard fork to roll back the hacked gains.
On June 28, 2021 ThorChain vulnerability in ETH Bitfrost was exploited which resulted in the theft of $140K worth of assets.
PancakeSwap fixed a logic bug which could result in the loss of $700K after it was responsibly disclosed by Juno.
Cream Finance patched a bug in a discontinued mining rewards contracts after it was responsibly disclosed by Armor’s Azeem.
Pods Finance fixed a logic error which could result in the theft of yield after it was responsibly disclosed by Csanuragjain.
Yearn awarded a $200K bounty to xyzaudits for a vulnerability that could have liquidated GenLevComp strategy debt position.
Babuk Locker ransomware builder was publicly shared after the group behind changed to the Ransomware-As-A-Service model.
NSABuffMiner cryptominer report by Guardicore.
The Future of Audits in DeFi Security by Immunefi.
Case Study: Hydra—Russia’s Largest Dark Market by CipherTrace.
UnRekt Smart Contract Allowance Checker is an online tool to quickly revoke token allowances from hacked projects.
Help support BlockThreat!
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
Stay informed and see you in the next week’s edition!
- Peter Kacherginsky (iphelix)