BlockThreat - Week 34, 2021

Bilaxy | xToken | CREAM | Dot | Geth | OpenZeppelin

Welcome to BlockThreat!

SushiSwap payed out a $1M bounty for a responsibly disclosed critical bug. Other DeFi projects promote bounties up to $2.5M. In comparison, zero day marketplaces pay $2.5M for full exploit chains in iOS and Android phones with an added requirement to not share bugs with manufacturers. Responsible disclosures are only in the $250K range for similar bugs. Is it only a matter of time before hobbyist criminals are replaced by seasoned grey hats who realized that the economics of DeFi exploits makes it a far more profitable enterprise?

Coordinated disclosure is really tricky. Ethereum and other compatible networks experienced networks splits after an attacker figured out a vulnerability in a hotpatch and launched an exploit before most nodes upgraded. In other news, Bilaxy exchange reported a hotwallet compromise, several DeFi projects experienced repeat hacks, new scammer technique targets Metamask users, and more in this week’s edition.

As a reminder, you can find post-mortem and exploit analysis archives of DeFi, exchange, blockchain, and other incidents in the OpenBlockSec Incidents repo. Feel free to send PRs to keep it up to date and complete!

News

Hacks

Vulnerabilities

Scams

Ransomware

Research


Help support BlockThreat!

Over the past two years, BlockThreat has gained 1000+ followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.


Stay informed, stay safe and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)