Week 23, 2019

Komodo | Gatehub | BlackSquid | VeriSol

This week started out with two major hacks targeting Komodo’s Agama wallet through a supply chain attack and the largest XRP theft by far (25 million XRP) from Gatehub.net. There was also an increase in the variety of cryptocurrency related malware, ranging from classic ransomware to increasingly more sophisticated cryptominers and private key harvesters. Microsoft continues to invest in the blockchain industry by adopting Boogie verification framework to Solidity in a tool called VeriSol.

Hacks:

  • Plot to steal cryptocurrency foiled by the npm security team - a malicious node.js package electron-native-notify found its way into Komodo’s Agama Wallet designed to steal users’ seed phrases and upload them to a public server. The Komodo team responded by collecting stolen seed phrases on the public server and sending approximately 8 Million KMD and 96 BTC to a secure wallet controlled by Komodo. The attacker has spent months making a useful module and getting it into the supply chain before turning malicious. The malicious module was also designed to store stolen seed phrases on a server which anyone could access in an apparent attempt to obscure attacker’s identity. On the defender side it was great to see a proactive incident response to secure customers’ funds before the attacker had a chance to empty them.

    Indicators: Malicious payload :
    https://updatecheck[.]herokuapp[.]com/check

  • Overview of the “Gatehub hack” - On June 6, 2019 Gatehub has issued a notification regarding a compromise of a number of XRP Ledger wallets hosted on their platform. The internal investigation has shown that the attacker gained access to a database holding access tokens affecting 18473 accounts. XRP Forensics has conducted an unofficial investigation of the hack and concluded that up to ~25 million XRP (~$9 million) was stolen in the hack.

    Indicators: Attacker’s XRP accounts:

    rU6EsDCiHHYbTtA4uGGo8zaaiRz2sbDBST
    rN5Gm1FijbTVeYFfpTRfGKfNZQY7hc9TbN
    rprMix9uYyQng5vgga1Vg8HTeBMCzaeM2i
    rUvPCdYJMzzGu9AFKrNeKgCTpxrpFc3RHt
    rJpKe5rbjgzzGJc1wm1xqKj6j4UjBQ6s48
    rGSWKo2oiJnJiPEoHvDZTK2XG7RtE62Cbh
    rpBDxqWArAQTEfPeWwkUvBh1cbc885nirX
    r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k
    rKZ14F9KT65chQ382M33U41a4eniGMAyfG
    rpfcbzdZZSWdB5EWDGcQvD5ycFhM6jdhpZ
    rHvWywQiexNeCLWTa9dBjHTMAtt6tPN7Z1
    rMcqiWXMJEAEMXaFFgnjeuASwAMmef8B8c

  • Stolen Bitfinex BTC Is on the Move - a number of stolen Bitcoin started moving after laying dormant since the 2016 Bitfinex hack. Bitfinex has confirmed that the funds on the move were not associated with the special recovery procedure outlined in the UNUS SED LEO white paper. Specifically, the paper outlines a “safe and private” way for criminals to return stolen assets while keeping a percentage for themselves as a reward for collaborating.

Malware:

Bugs:

  • Dependency Audit Retrospective: June 2019 - a retrospective by the Metamask team after 29 high vulnerabilities were reported in the popular Ethereum wallet. The report concludes that the necessary npm audit deployment step was disabled to allow for an emergency fix and never turned back on.

Tools:

  • VeriSol - Microsoft Research formal verification tool for Solidity smart contracts. The tool is based on the Boogie verification toolchain and works on the Solidity source code. You can read the announcement on Microsoft’s Research Blog.

That’s all for this week’s newsletter. On the more lighter note, a samaritan developer helped return 2000 ETH accidentally sent a Mainnet instead of a Ropsten address. The recovery was made possible by precisely deploying a Mainnet smart contract which could recover the funds.