BlockThreat - Week 11, 2021

This week we saw traditional appsec threats creep into the crypto world after a couple of DeFi projects lost control over their DNS infrastructure and NFTs getting stolen as a result of good ole’ account takeovers. On the blockchain layer we had a small scare where a block explorer reported a double spend on FileCoin only to conclude that it was just an exchange not using node API correctly. Last but not least check out news of the upcoming QuadrigaCX documentary in the Media section.

News

• Ethereum Foundation announced a bounty for the upcoming ETH2 beacon chain. It includes a wide range of beacon chain targets and attack vectors.
• A Hacker Got All My Texts for $16 exposes a a major flaw in mobile phone operators allowing anyone to reroute SMS from arbitrary phone numbers.
• Nvidia Beta Driver accidentally removes cryptocurrency mining limiter from GeForce RTX 3060 video cards.

Crime

• Teenage hacker sentenced to 3 years in prison for masterminding the July 2020 Twitter hack which resulted in the theft of $120K.
• Romanian authorities arrested an individual responsible for $620K theft from an unknown exchange.

Hacks

• On March 13, 2021 True Seigniorage Dollar DAO was taken over by attackers after they acquired a majority stake. This allowed attackers to deploy an upgrade which was used to mint and later sell 11.8B TSD tokens.
• On March 15, 2021 Cream Finance and PancakeSwap DApps were taken over by attackers after their GoDaddy DNS records were hijacked. The hijacked page attempted to phish users’ seed phrases.
• On March 15, 2021 Nifty Gateway reported that a number of NFTs were stolen after user accounts were compromised on their platform.
• On March 16th, 2021 Iron Finance vFarm reward misconfiguration resulted in the loss of 170K worth of SIL tokens.
• On March 18, 2021 SIL Finance contract permissions vulnerability was exploited by a trading bot which resulted in the loss of $12.1M worth of SIL tokens. The anonymous bot operator returned all of the funds.

Vulnerabilities

• Binance was double crediting FileCoin deposits due to incorrect usage of the node API. The issue briefly incorrectly identified as a double spend.
• Solidity patched a vulnerability in Keccak256 opcode handling.

Scams

• Binance Smart Chain TurtleDEX rug pulled on its investors within hours of launch. $2.5M worth of BNB tokens were quickly exchanged on Binance.

Media

• Dead Man’s Switch is an upcoming documentary about QuadrigaCX CEO, Gerald Cotten who passed away under mysterious circumstances while in midst of a massive scam operation.

Research

• A Year in the Life of a Compiler Fuzzing Campaign is the latest update in Trail of Bits’ long running hunt for bugs.
• Illegal Content and the Blockchain by Bruce Schneier explores threats to the blockchains introduced by hidden messages stored inside.
• Wrecking sandwich traders for fun and profit is an article about a honeypot for MEV sandwichers.
• Tackling Cross Site Scripting with Smart Contracts discusses injection threats and mitigations on DApps.

Stay informed and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)