BlockThreat - Week 16, 2021
Thodex | Vebitcoin | EasiFi | EToken2 | SafeMoon
Something is afoot in Turkey with two crypto exchanges shutting down with one of the founders on the run. Another DeFi founder’s computer was hacked leading to a massive $60M theft. This week’s edition features lot’s of amazing write-ups on responsibly disclosed vulnerabilities and research papers. In other news, Faketoshi’s funds were apparently stolen after he got hacked by a Pineapple.
News
- CEO of Turkish exchange Thodex flees the country with $2B in customer funds. The same week Turkish authorities detained several Vebitcoin employees on fraud charges shortly after the exchange seized its operations. Both incidents follow Turkey’s ban on crypto payments a week prior.
- US Marshals Service signed a $4.5M contract with BitGo to store forfeited crypto. This may be related to a recent $1B seized in stolen Silk Road funds.
- Seven USDC wallet addresses were blacklisted. Remember that many smart contracts including USDC, USDT, PAX include asset freezing functionality.
- The Incredible Rise of North Korea’s Hacking Army by Ed Caesar (The New Yorker) is an incredible read about Lazarus group’s may criminal enterprises including cryptocurrency exchange heists and ransomware attacks.
- How the Kremlin provides a safe harbor for ransomware by Frank Bajak (AP News) links Russian security services with Evil Corp and other ransomware groups.
Events
- Blockchain Hackers V - DeFi Security meetup in Dubai on April 28th.
Scams
- New NFT scam called sleepminting tricks users into purchasing unauthorized copies of legitimate NFTs on popular marketplaces.
- SafeMoon likely going to exit scam after half of its liquidity got locked.
Hacks
- On April 19th, 2021 EasiFi’s founder’s computer was compromised resulting in the theft of contract private keys to drain about $60M worth of stablecoins and EASY tokens. While the post-mortem implies a highly targeted attack on the founder, it is concerning that a single private key stored in Metamask had so much access to both assets and smart contracts.
Vulnerabilities
- Ambisafe EToken2 platform vulnerability which could allow backdooring new users’ accounts was patched after a responsible disclosure by samczsun. The vulnerability affected SOLVE, RFR, UBT, CHSB, and other tokens using the EToken2 implementation. Check out the awesome bug hunting writeup!
- A vulnerable user on Primitive Finance was helped to lock down their funds after the threat was responsibly disclosed by Amber Group developers.
- Pancake V2 integer rounding vulnerability was patched after responsibly disclosed by Nipun from Alpha Finance.
- Maker patched multiple bugs in emergency shutdown and end modules.
- Prysmatic Labs patched a bug which stopped nodes from producing blocks for 2 hours with a total reward opportunity cost of 15 ETH.
- OpenEthereum Berlin consensus bug post-mortem exposes gaps in current fuzzing and testing frameworks used in the project.
Malware
- Reports of Prometei botnet targeting vulnerable Microsoft Exchange servers to install mining software.
Competitions
- DEX challenge by Patrick Collins was added to the Ethernaut Wargame.
Research
- Crypto-Asset Exchange Security Guidelines by CSA has several nice threat models useful for both exchange operators and users.
- Smart Contract Security for Pentesters by iosiro is an introductory text on attack vectors and sources of bugs in smart contracts aimed at traditional application security professionals.
- MEV and coordination by Samuel Shadrach explores main actors and their incentives to coordinate in transaction ordering.
- TSGN: Transaction Subgraph Networks for Identifying Ethereum Phishing Accounts.
- SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds.
- Ponzi Scheme Detection in Ethereum Transaction Network.
- A Tractable Probabilistic Approach to Analyze Sybil Attacks in Sharding-Based Blockchain Protocols.
- Bitcoin Address Clustering Method Based on Multiple Heuristic Conditions.
Thanks for joining me in another week of blockchain security, the industry that never stops to amaze me. See you all next week!
- Peter Kacherginsky (iphelix)