BlockThreat - Week 20, 2021

This week we learned about a silently patched vulnerability in both Geth and Parity nodes which almost halted the network. Another $43.6M stolen from various DeFi projects and additional $200M liquidated as a result of price manipulation. I started keeping track of these incidents, root cases, and their impact on OpenBlockSec - DeFi Incidents 2021 page. So far in 2021 we are at $400M+ lost or stolen just from the hacks (significantly more due if we also count rug pulls and other scams) which is enough to sound an alarm that changes must happen soon in this segment of the industry through increased user awareness, developer education, tool development, bug bounty programs, etc. to turn the tide.

Events

• Blockchain Forensics Seminar by David Jevans (CipherTrace) on 05/26 at 3PM PST. Password: 071256.
• Defcon Blockchain Village CFP is now open. Apply now for the virtual or in-person blockchain security event on August 5-8, 2021.

News

• Crypto-mining gangs are running amok on free cloud computing platforms by Catalin Cimpanu (The Record) explores a widespread abuse of CI services to mine crypto.
• More than 72,000 unique Iranian IP addresses linked to more than 4.5 million unique Bitcoin addresses by Ciphertrace reveals a large mining operation by Iranian actors to mining cryptocurrencies to avoid sanctions.
• NTT’s 2021 Global Threat Intelligence Report reveals a resurgence of cryptojacking malware.

Hacks

• On May 18, 2021 Venus Protocol price manipulation of the governance token resulted in $200M+ in DeFi liquidations and $100M+ in bad debt.
• On May 20, 2021 Bunny Finance mint price vulnerability was exploited to steal $45M+ worth of assets.
• On May 22, 2021 Bogged Finance minting vulnerability was exploited to steal $3.6M worth of BOG token.

Scams

• FTC Data Shows Huge Spike in Cryptocurrency Investment Scams with consumer reports increasing ten times since last year.
• Office of Comptroller of the Currency (OCC) released an advisory about a phishing campaign attempting to steal bitcoin wallet keys.
• War on Rugs group exit scammed with $2M of users’ funds after setting a 100% selling tax on RETH and FAIR smart contracts.
• DeFi100 exit scammed with $32M of users’ funds while mocking investors.

Vulnerabilities

• Ethereum Foundation secretly patched a critical DoS vulnerability present in several EVM opcodes in both Geth and Parity nodes.
• Charged Particles fixed a critical DoS/griefing vulnerability after it was responsibly disclosed by Alejandro Muñoz-McDonald through Immunefi.
• Mushrooms Finance fixed a vulnerability which allowed flash bots to steal yields after it was responsibly disclosed by Wen-Ding Li using Immunefi. The vulnerability was previously exploited to steal $222 worth of assets.
• Yearn Finance patched a vulnerability in StrategyMakerETHDAIDelegate accounting logic. Yet another patch in the past few weeks from the Yearn Security team which appears to actively weed out flaws in their contracts.

Research

• Meebit NFT Exploit Analysis by iphelix dives into the exploitation details of the Meebit platform and shares a PoC exploit to help replicate the exploit.
• CheapETH 51% attack demonstration by Anish Agnihorti shows a complete setup and successful 51% attack on the Ethereum fork project.
• DeFi exploitation impact, root cause analysis and trends tweet thread by Igor Igamberdiev.
• Inductive Reasoning about Smart Contracts Safety by James Wilcox
• Bitcoin Privacy - A Survey on Mixing Techniques.
• What everyone gets wrong about 51% attacks by Dankrad Feist.

Tools

• EtherBlob Explorer used to extract human readable data stored in Ethereum transactions.

Stay informed and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)