BlockThreat - Week 19, 2021

This week ends the Colonial Pipeline saga with yet another paid ransom further emboldening ransomware gangs. Ethereum, Binance Smart Chain, and EOS based DeFi applications were exploited this week for a total loss of almost $40M. On the bright side projects are finding and patching more vulnerabilities using internal code reviews and bug bounty programs potentially reversing a seemingly unstoppable barrage of DeFi hacks. Be sure to check out excellent reports by Ciphertrace and Chainalysis on the current state of cryptocurrency crime.

News

• Koch brothers paid the $5M (75 BTC) ransom to the DarkSide Ransomware Gang to help reopen the Colonial Pipeline after six days of outage. Blockchain analytics companies have traced the ransom to a number of exchanges and Hydra marketplace. Interestingly, the group shut down its operations after its public infrastructure was seized.
• Europol arrests six people connected to a €30M scam involving fake cryptocurrency trading platforms.
• Murder for hire scheme thwarted after a Bitcoin transaction to pay the hitman was tracked to an exchange user.

Scams

• FinNexus exit scammed after minting and dumping $7.6M worth of FNX.

Hacks

• On May 12, 2021 xToken contracts were exploited to steal $25M.
• On May 13, 2021 Pi Network user data was posted on Raidforums for sale. Stolen data included Vietnamese identity cards, addresses, phone numbers, and emails for up to 10,000 customers.
• On May 14, 2021 Vault.sx contract on EOS was exploited through a re-entrancy vulnerability to steal $13.5M worth of EOS and USDT.
• On May 16, 2021 Bearn Finance withdrawal logic vulnerability was exploited to steal $11M.

Vulnerabilities

• Sovryn patched a critical lending vulnerability after it was responsibly disclosed through Immunefi bug bounty.
• Fei patched a critical vulnerability in its bonding curve after an internal code review.
• Fei published detailed post-mortem and a PoC exploit for the recent flashloan vulnerability.
• Yearn patched two vulnerabilities in its StrategyProxy and SingleSidedCrvDai contacts.
• Maker patched an overflow bug in its emergency shutdown function.

Malware

• eChoraix ransomware targets vulnerable and unprotected QNAP servers.
• Cryptojacker targets Call of Duty gamers downloading a malicious trainer.
• Ongoing phishing campaign on Twitter targets Metamask and Trust Wallet users with backdoored wallet software.

Research

• Griff Green: Doge-loving hippy hacker steals crypto before bad guys can is a historical look at the infamous DAO hack in 2016.
• Ciphertrace published its quarterly Cryptocurrency Crime and Anti-Money Laundering Report which shows a significant rise in DeFi hacks.
• Chainalysis published Ransomware 2021: Critical Mid-year Update report.
• Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims.
• Reentrancy Vulnerability Identification in Ethereum Smart Contracts discusses a new static and dynamic analysis framework.

Tools

• DeFi ABI generator speeds up the process of creating contract interfaces in Golang.

Thanks for joining me in another week of blockchain security!

- Peter Kacherginsky (iphelix)