Week 21, 2020

BlockFi, Hegic, tBTC, Etheroll

This week’s theme is DeFi! Writing smart contracts is hard enough, but take sufficiently complex systems like DeFi apps and bugs just start popping up. Hegic, tBTC, Etheroll all had interesting vulnerabilities discovered and published this week.

The BlockFi incident begs several questions: Why do they still use SMS as a 2FA option especially for internal employees and why are the internal systems still accessible from the Internet? This could have been much worse.

In other news, looks like some of the addresses in the Tulip Fund are turning against Faketoshi and more drama on the Steem network. Also, check out the hilarious Justin Sun deep fake scam video in the links below.

Hacks

  • BlockFi Incident Report - on May 14th, 2020 BlockFi suffered a breach of its client data including customer names, emails, DoBs, home addresses, and activity history. An employee’s phone number was SIM ported to gain access to his or her corporate email and BlockFi’s internal systems. According to the incident report, an attacker attempted but failed to steal any funds.

  • HegicOptions has shut down again - this one is not a typo, a design flaw in Hegic was exploited to make a quick $3340 profit.

  • Details of the tBTC Deposit Pause on May 18, 2020 - additional details about the tBTC bug causing shutdown due to Bitcoin address parsing. An additional vulnerability was also reported where a malicious redeemer could craft an output script which would result in an invalid Bitcoin transaction to seize signer bonds and net profit in some circumstances.

  • Etheroll exploited - a clever exploit which takes advantage of infrequent chain forks to game the gambling smart contract.

  • Ethereum.org DB dump sold on the black market - reports of 16,000 ETH accounts from the 2016 hack being sold online. Vitalik’s hash is clearly visible in the screenshot and appears to be `$P$BVQJbEipvfH6s.IoLtWZmg3GTdo/ee/`. Does anyone wants to take a stab?

  • Bitcoin stolen in a $72 million hack just started moving - more stolen funds movements on the blockchain. This time related to the 2016 Bitfinex hack.

Scams

Vulnerabilities

Malware

People

Research

Another fun week in blockchain security! I hope you stay healthy and see you all next week. But for now, head over to /r/blocksec subreddit where I share many of the news in this newsletter throughout the week.