Welcome to BlockThreat!
SushiSwap payed out a $1M bounty for a responsibly disclosed critical bug. Other DeFi projects promote bounties up to $2.5M. In comparison, zero day marketplaces pay $2.5M for full exploit chains in iOS and Android phones with an added requirement to not share bugs with manufacturers. Responsible disclosures are only in the $250K range for similar bugs. Is it only a matter of time before hobbyist criminals are replaced by seasoned grey hats who realized that the economics of DeFi exploits makes it a far more profitable enterprise?
Coordinated disclosure is really tricky. Ethereum and other compatible networks experienced networks splits after an attacker figured out a vulnerability in a hotpatch and launched an exploit before most nodes upgraded. In other news, Bilaxy exchange reported a hotwallet compromise, several DeFi projects experienced repeat hacks, new scammer technique targets Metamask users, and more in this week’s edition.
As a reminder, you can find post-mortem and exploit analysis archives of DeFi, exchange, blockchain, and other incidents in the OpenBlockSec Incidents repo. Feel free to send PRs to keep it up to date and complete!
DeFiYield launched Rekt Archive, a DeFi security incident database.
On August 25, 2021 Dot Finance lost $429K after a reward calculation vulnerability was exploited using a flash loan.
On August 29, 2021 xToken lost $4.5M after a function access control error was exploited by an attacker.
Tidal Finance patched a logic error vulnerability after it was responsibly disclosed by Csanuragjain.
Reports of an ongoing scam campaign tricking users into exposing their Metamask QR code.
Ragnarok ransomware gang shuts down and releases a free decrypter.
FBI issued a flash report on OnePercent ransomware group.
Hacker-Powered Security and DeFi: How Human Intelligence Improves Cryptocurrency Security by HackerOne interview with Sam.
Top DeFi and Blockchain Security Issues by Halborn.
Tracking the Stolen Assets from the Liquid Exchange Hacking by Sentinel Protocol Team.
Help support BlockThreat!
Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
Stay informed, stay safe and see you in the next week’s edition!
- Peter Kacherginsky (iphelix)