No major hacks or vulnerabilities reported this week, so we can finally catch up on a number of fun security conference talks from samczsun, Taylor Monahan, and a fireside chat with Stani, Julien and Sunny. Ledger’s Donjon posted solutions to the CTF, Metamask advises on an ongoing phishing campaign, a number of cryptocurrency companies are getting DDoSed, and other blockchain security news in this week’s edition.

Crime

• Alexander Vinnik sentenced to 5 years in French prison for money laundering. Vinnik was one of the co-founders of the infamous BTC-e exchange involved in money laundering operations for various criminal enterprises such as CryptoWall ransomware, Fancy Bear APT, and others.

• Oyster Protocol scammer, Bruno Block, arrested. In 2018 Bruno executed a backdoor in the Oyster Pearl smart contract to steal 3M PRL (~$300K at the time).

Hacks

• On December 11th, 2020 a vulnerability in Seal Finance was exploited to steal $58K worth of SEAL tokens.

• Ongoing DDoS attacks targeting cryptocurrency companies including SatoshiLabs, Poloniex, The Block, and others.

Vulnerabilities

• AAVE team fixed a DoS vulnerability caused by an incompletely initialized contract. The vulnerability was responsibly disclosed by Josselin Feist through AAVE’s bug bounty program.

Malware

• Metamask warns users of an ongoing phishing campaign where attackers mimic wallet onboarding to steal seed phrases.

• Foxconn factory in Mexico was attacked by the DoppelPaymer ransomware group which demands 1804.0955 BTC ransom not to leak files.

• PGMiner cryptojacker targets vulnerable PostgreSQL instances in order to drop Monero miners.

• Ransomware group created a portal to enable victims to pay Bitcoin for stolen MySQL database backups. http://hn4wg4o6s5nc7763[.]onion/

Media

• Avoiding security pitfalls talk by samczsun is an encyclopedic resource on DeFi exploitation and vulnerabilities.

• Building smart contracts responsibly talk by Taylor Monahan is a hilarious survey of common security pitfalls made by smart contract developers.

• Fireside Chat on Security, DeFi Composability, & Interoperability featuring Stani Kulechov, Julien Bouteloup, and Sunny Aggarwal. There is an interesting discussion on front-running prevention using private, encrypted transactions sent directly to miners.

Research

• A Brief Breakdown of Monero’s Ongoing Network Attacks delves into the cat and mouse game between Monero developers and a persistent actor trying to deanonymize the network.

• A Hypothetical Attack on the Bitcoin Codebase explores various scenarios of Bitcoin code base getting compromised such as rogue developers, kidnapping, unauthorized access, and others.

• Early ETH2 nodes are getting slashed due to misconfigurations.

Tools

• Scribble runtime verification tool by Consensys Dilligence.

• Symbolic Execution with ds-test allows Ethereum developers to quickly write formal proofs for smart contracts.

• Revoke is an Ethereum tool to enumerate Dapps which requested to spend excessive amounts of tokens on your behalf.

Competitions

• Donjon CTF - Exploiting Smart Contracts in CTF Challenges shares a solution for the EOSIO smart contract challenge.

• Donjon CTF - Discovering SMPC through CTF Challenges shares a solution for the RenVM challenge.

Other

• A collection of bug bounties by Immunefi covering the entire cryptocurrency ecosystem.

Thanks for joining me this week and thank you for your donations in the latest Gitcoin round. Oh please don’t steal electricity to mine Bitcoin, unless you are Venezuelan Army trying to bypass sanctions.

-Peter Kacherginsky (iphelix)