Week 18, 2019

Outlook | XRP | TRON | Stellar

Welcome to this week’s newsletter! My feeds were filled with news about different variants of crypto malware ranging from traditional cryptominers to more exotic mnemonic phrase stealers and fake QR code generators. Electrum is still getting pounded by the DDoS botnet. Several interesting hacks were reported such as an “accidental” exploitation of a backdoored TRON smart contract, an exchange mishandling unique XRP features resulting in a $2 million loss, and last but not least a string of exchange account compromises coming from the recent Outlook email breach. Finally, the long expected research paper on Stellar weaknesses was released and confirmed our previous speculations on the network being at risk of failure due to over-reliance on just three validators.

News:

  • Cryptocurrency Anti-Money Laundering Report, 2019 Q1 - a detailed report from CipherTrace covering trends in the cryptocurrency ecosystem such as upcoming exchange and digital assets regulations, the use of cryptocurrencies by rogue regimes and criminal organizations, overview of the most recent exchange compromises, exit scams, and fraud cases resulting in $1.3 billion loss.

Malware:

Hacks:

  • Microsoft Outlook Email Breach Targeted Cryptocurrency Users - according to several user reports, the recent Microsoft Outlook breach resulted in the compromise of several exchange accounts.

  • 7 million XRP ($2 million) stolen from Bitopro exchange - just days after adding XRP to its platform, Bitopro exchange was successfully exploited due to mishandling of XRP’s partial payments feature. In this exploit scenario a large amount of XRP is sent to an exchange in a transaction with the tfPartialPayment flag set and a significantly smaller delivered_amount value. A vulnerable exchange which does not properly check for the partial payments flag credits attacker’s account who proceeds to swap and move these funds off the platform. In the case of Bitopro the attacker made a series of partial payment deposits which were apparently successfully accepted by the exchange. The same attacker has also made similar transfers to a number of other exchanges including OOOBTC, BTCexchange, Changelly, Coinvest Plus, and others over the past few months.

  • 26 million TRX ($600k) stolen - on May 3rd a Tron user wojak triggered a vulnerability (or an intentional backdoor) in TronBank’s TRX Pro smart contract to transfer 26.73 million TRX. The flaw was triggered by transferring exactly 0.011911 TRX which resulted in the contract transferring its entire balance. TRX Pro developers refute any backdoor claims; however, the analysis of contract’s bytecode confirms a check for the transfer amount 0x2E87 or 0.011911 TRX which in turn triggers the entire contract to dump its balance to the sender.

Research:

  • Is Stellar as secure as you think? - a whitepaper discussing the risks of cascading failure in the Stellar network due to over-reliance on the three official nodes SDF1, SDF2, and SDF3 by most of the network’s quorum slices. The study presents evidence that in the current network state a failure of only two of the three SDF nodes would result in the rest of the network failing. Stellar Development Foundation has responded to the study by publishing a blog post and more importantly diversifying their own quorum slices. However, even with the recent changes, researchers claim that the network is still at a risk of failure if all three of the official SDF nodes fail indicating a persistent state of reliance on a single entity for network operation.

Never a dull day in cryptocurrency security! Thanks for joining me this week and see you all next Monday for another issue of the blockchain intelligence report.