BlockThreat - Week 33, 2021
Liquid | T-Mobile | SushiSwap | Pinecone | Solend | Sentinel
Exchange hot wallet compromises have been getting more and more rare in recent years as security practices continued to mature. Unfortunately, Liquid Exchange broke this pattern in a massive $94M hack perpetrated by well prepared attackers. SushiSwap narrowly avoided a $350M hack thanks to a timely report by samczsun. Solana experienced a (possibly first) DeFi hack. Last but not least, expect to see an increase in exchange account takeovers after a massive T-Mobile hack.
Let’s dive into the news, but first a special thank you to Oak Security which sponsored this week’s edition:
Oak Security focuses on third-generation blockchains and blockchain interoperability. Oak’s client base has a combined market cap of over $10 billion. The company specializes in Terra, Cosmos, Polkadot, and Flow security, and is the leading provider of CosmWasm security audits. Oak security is growing and hiring new auditors.
T-Mobile breach exposed names, addresses, social security numbers, drivers license, and other sensitive data of up to 50M customers. The incident will likely result in increased SIM swapping and account takeover attacks targeting financial institutions including cryptocurrency exchanges.
Five BitConnect promoters paid a combined penalty of 190 BTC and $3.5M in a settlement with SEC.
Helix mixer operator pleads guilty, forfeits 4.4K BTC and other assets.
Ransomware gangs solicit disgruntled employees in a profit sharing scheme to install malware on their company’s machines.
On August 16, 2021 xSurge reentrancy vulnerability was exploited which resulted in the theft of $4M worth of BNB.
On August 18, 2021 Liquid Exchange announced that its warm wallets were compromised after $94M were stolen from its Bitcoin, Ethereum, Tron, and Ripple wallets. In what appears as a highly planned operation, attackers quickly exchanged stolen assets on centralized and decentralized exchanges.
On August 18, 2021 Pinecone Finance lost $17.5K after the attacker bypassed transaction validation implemented in the front-end.
On August 19, 2021 Solend, a Solana based DeFi project, lost $16K as a result of an insecure authentication check.
SushiSwap patched a critical vulnerability in the DutchAuction contract caused by incorrect handling of msg.value after it was responsibly disclosed by samczsun. $350M were rescued by force halting the auction.
Pods Finance patched a yield theft vulnerability after it was responsibly disclosed by Csanuragjain.
Decyphered Video Series by Halborn covers the latest blockchain hacks.
Ransomware: Last Week Tonight with John Oliver
Auditing Smart Contracts Live with Mudit Gupta
RansomClave: Ransomware Key Management using SGX research explores ransomware use of secure enclave to store decryption keys.
Mitigating Miner Extractable Value (MEV) with Gnosis Safe by Tobias Schubotz (Gnosis)
Tradeoff Between Convenience and Security: Unlimited Approval in ERC20 by BlockSecTeam explores risks and incidents caused by infinite approvals.
Help support BlockThreat!
Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
Stay informed, stay safe and see you in the next week’s edition!
- Peter Kacherginsky (iphelix)