Not too much calm on the Ethereum network this week. No only did we experience two DeFi project hacks resulting in multi-million losses, the network itself ran into a chain split after someone was playing with a silently patched vulnerability in older Geth clients. Monero reported an attempted Sybil attack, KuCoin got more tokens to fork themselves to return stolen funds, bugs are slowly getting squashed in ETH 2.0 clients, and more news in this week’s edition of Blockchain Threat Intelligence.

Hacks

• On November 14, 2020 Value DeFi developers reported that their smart contract was exploited which resulted in a loss of about 7.4M DAI. Interestingly the attack came shortly after Value DeFi tweeted about project’s invulnerability to Flash-loan attacks. Following the hack, the attacker returned 2M DAI with a taunting note questioning the earlier tweet. The attacker returned 95K more DAI after hearing on-chain user pleas.

• On November 12, 2020 Akropolis DeFi project was exploited resulting in a loss of 2M DAI through a reentrancy vulnerability.

• On November 11, 2020 Ethereum network split after a bug in older versions of Geth was triggered by Optimism developers. In the incident post-mortem, Geth developers not that the vulnerability was silently fixed in Geth v1.9.17 released on July 20th, 2020. The split affected critical Ethereum projects using outdated node software such as Infura and caused some exchanges to suspend withdrawals.

• On November 10, 2020 Monero blockchain underwent a Sybil attack which did not appear to be effective.

• KuCoin reported that 84% of the stolen funds were now returned. The recovery was made possible by a large number of Ethereum token asset issuers who had to perform token swaps and forks to claw back stolen the funds.

Vulnerabilities

• A DoS vulnerability was discovered in Geth caused by CVE-2020-28362 in a Go standard library.

• A vulnerability was discovered in Solidity compiler which may allow specially crafted storage fields to inject data into memory.

• Two consensus vulnerabilities were discovered in a ETH 2.0 Prysm client.

Malware

• Fake Uniswap mobile app was listed on Google Play Store. The app asked users for their mnemonic phrase to steal their funds.

Research

• CipherTrace report on DeFi security incidents notes almost $100M worth of crypto were stolen or hacked in 2020.

• Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited.

• Tracking Counterfeit Cryptocurrency End-to-end.

Tools

• Miao - EVM Transaction Decoder

• ETH 2.0 Fork monitor

Competitions

• Damn Vulnerable DeFi Wargame Setup and Walkthrough.

• Donjon CTF by Ledger.

Media

• CBC’s “The FBI Declassified” featured an episode on the Silk Road takedown.

That’s all for this week in Blockchain Threat Intelligence. Stay healthy, stay informed and see you next week!

-Peter