DeFi hacks are on the rise again with more than $22M stolen this week. BSV suffered yet another series of 51% attacks which created multiple conflicting chains and confused miners which chain to follow. Scammers are perfecting their craft on all fronts including realistic deep fake Zoom calls. On the good side, this week featured Reorg.WTF and Defcon Blockchain Village conferences with many excellent blockchain security talks.
Let’s dive into the news, but first a special thank you to Oak Security which sponsored this week’s edition:
Oak Security focuses on third-generation blockchains and blockchain interoperability. Oak’s client base has a combined market cap of over $10 billion. The company specializes in Terra, Cosmos, Polkadot, and Flow security, and is the leading provider of CosmWasm security audits. Oak security is growing and hiring new auditors.
REORG.WTF conference video recordings and slides on all topics related to blockchain reorgs, 51% attacks, MEVs, etc.
DEFCON 29 - Blockchain Village video recordings on flash loans, smart contract security, threat modeling, and other blockchain security topics.
Investigating Twitter Reply Scam Rings by Harry Denley documents an experiment tracking Twitter bots attempting to steal crypto wallets.
The Andre Cronje Mis-hap — Fake Partnership Cryptocurrency Fraud by Blackswan Token is a fascinating account of a new deepfake impersonation scam including Zoom calls, fake passports and other documents.
Multiple airdrop scam campaigns (EVER, VERA, MNEB, others) on Ethereum and BSC networks entice users to visit malicious Dapps and approve transfers to all of their wallets.
On August 3, 2021 Popsicle Finance lost $20.7M after a vulnerability in its reward calculation mechanism was exploited.
On August 4, 2021 Wault Finance lost $816K after a price pegging vulnerability in its smart contracts was exploited using flash loans.
On August 4, 2021 Casper DeFi lost $172K after a malicious insider took advantage of a backdoor they’ve embedded to mint and sell Casper tokens.
On August 8, 2021 Zerogoki lost $670K after an attacker fabricated a price oracle transaction as a result of compromised private keys or an unknown vulnerability.
Teller fixed an unitialized proxy vulnerability after it was responsibly disclosed by Bugdefeat.
Fake Google Ads used to spread Brave browser installer bundled with a ArechClient and SectopRat malware.
Ransomwhere - open, crowdsourced ransomware payment tracker.
Build Your Bug Bounty: Smart Contract Pentesting Overview by Immunefi describes steps to set up a smart contract pentesting environment and shares a sample Fei exploit.
Help support BlockThreat!
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
Stay informed, stay safe and see you in the next week’s edition!
- Peter Kacherginsky (iphelix)