BlockThreat - Week 44, 2020
TrickBot | Tron | Cred | Ethercrash | Yearn
Peter Kacherginsky | Nov 11, 2020 |
Catching up on blockchain security news can be overwhelming. In this week’s edition we cover multiple hacking incidents, vulnerabilities in DeFi and crypto wallet projects. So with out further ado let’s dive in! Oh and don’t mine crypto at work especially if you work at an airport or a nuclear power station.
Crime
Multiple hospitals were infected with ransomware. An earlier CISA report points to an ongoing campaign using TrickBot and BazarLoader malware to target more than 400 medical facilities.
Dutch policed seized 2500 BTC in a money laundering investigation.
BitMEX officials allegedly 'looted' $440 million from exchange after learning about U.S. charges, per lawsuit filing.
Hacks
On November 1, 2020 Tron network was halted after its node infrastructure was attacked. Tron Foundation did not share any additional information about the exploit.
On October 28, 2020 Cred, a crypto lending service, announced that all deposits and withdrawals will be paused without citing pending law enforcement investigation into handling of corporate funds by a perpetrator.
On October 26, 2020 Ethercrash cold wallet was compromised with 6378 ETH stolen. The stolen funds were exchanged to DAI on Uniswap.
On October 27, 2020 President Trump’s campaign website defaced with a message to cast a vote to release private data by sending Monero to two addresses corresponding to a YES or a NO.
Vulnerabilities
A flash loan vulnerability was responsibly disclosed to the Yearn team which quickly patched it. The issues was caused by the lack of slippage checks in the TUSD deposit handling function.
A flash loan was used to pass a proposal on MakerDAO. While the party behind the vote was legitimate and the vote did not cause a negative outcome, this transaction illustrates a previously discussed governance risk on the Maker platform.
SushiSwap farming arbitrage exploit is being continuously exploited by whales.
Magma, a Tezos blockchain wallet, patched a critical security update for their Android app. No additional vulnerability information was shared.
Phishing
Backdoored online BIP39 tools website secretly record generated mnemonic phrases.
Research
Deanonymizng the Kucoin Hacker tracks attackers through Tornado Cash mixer to a deposit on Binance.
Smart Contract Fuzzing - How to find edge cases with echidna.
DeFi Is Growing at Warp Speed, But Regulatory Status and Compliance Requirements Remain Unclear by Chainalysis.
Flash Mint Arbitrage testnet payloads.
Tools
OpenZeppelin Defender, a smart contract security operations platform.
Media
Bitcoin and the End of History, the final installment in a four part documentary series about cypherpunks.
That’s all for this week in Blockchain Threat Intelligence. Be sure to check out /r/BlockSec for more up to the minute news and see you all next week.
-Peter
Create your profile
Only paying subscribers can comment on this post
Check your email
For your security, we need to re-authenticate you.
Click the link we sent to , or click here to log in.