BlockThreat - Week 5, 2021
Yearn | DeFlash | ArmorFi | Paradigm CTF | FlyingAtom
|Peter Kacherginsky||Feb 10|
Welcome to this week’s edition of Blockchain Threat Intelligence! First congratulations Team Dilicious (Consensys Dilligence) for winning the amazing Paradigm CTF organized by @samczsun, @gakonst, @TylerCrimm and others.
Another major DeFi hack this year where Yearn Finance lost $11M. Critical vulnerabilities were responsibly disclosed to multiple DeFi projects including a $1.5 bug bounty collected by Alexander Schlindwein from ArmorFi. Responsible disclosure is a very welcome trend in the industry plagued by vulnerabilities!
On a much sadder note, an exchange in Poland was physically robbed with multiple employees injured. Unfortunately physical attacks while relatively rare have devastating effects on human lives when they do occur.
This week’s edition also features a few interesting research articles on front-running, flash loans, smart contract testing. Let’s dive into the news, but first a note from friends and sponsors at Halborn:
Halborn is an award-winning, enterprise grade cybersecurity advisory firm working with some of the best in blockchain and DeFi including Blockfi, Bancor, Ava Labs and many more. We offer Security Advisory as a service, Advanced Penetration Testing, Smart Contract Auditing, Key Management and DevOps.
Police seize $60 million of bitcoin! Now, where’s the password? is a curious case of law enforcement being unable to access criminal’s funds.
On February 4th, 2021 a vulnerability in Yearn’s v1 yDAI vault was exploited which resulted in a $11M loss. Multiple exploit analysis reports were published all pointing to a sophisticated attacker using a chain of transactions to manipulate the pool to yield profit. The hack was detected and mitigated within an hour of the first transaction which helped minimize further damages. Interestingly Tether has already frozen 1.7M of stolen funds.
On January 22nd, 2021 office of the FlyingAtom was robbed by an armed attacker which resulted in the theft of 120K worth of gold and injuries of two employees.
DeFlash.finance moved users funds after a vulnerability was responsibly disclosed that could have resulted in a $580K loss. Dedaub team has an excellent writeup on reverse engineering closed source contract to exploit the flaw.
A vulnerability in ArmorFi was discovered and responsibly disclosed by Alexander Schlindwein through the Immunefi platform. As a reward, Alexander earned a whopping 1.5M bounty and an offer by the ArmorFi’s CTO to a get a tattoo of choice.
Multiple vulnerabilities reported in Typhoon.Cash which may result in griefing, front-running, and integer overflow attacks.
2nd International Workshop on Smart Contract Analysis (WoSCA 2021) call for papers deadline of May 14th was announced. Check out Confessions of a smart contract paper reviewer for tips on submitting a paper.
Paradigm CTF, one of the best blocksec CTFs I’ve seen, is now over with three winners announced. Congratulations Consensys Dilligence for placing 1st! You can find solutions on OpenBlockSec’s Awesome BlockSec CTF list.
What the hell are the blockchain people doing & why isn't it a dumpster fire? - Building Better Systems Podcast with Dan Guido.
Help support BlockThreat!
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.
Thanks for joining me in this week’s edition and see you all next week!
- Peter Kacherginsky (iphelix)