BlockThreat - Week 21, 2021
Belt Finance | BurgerSwap | Wild Credit | JulSwap | Merlin | AutoShark | Geth
Almost $17M were stolen this week across various DeFi projects with losses primarily generated by various Pancake Bunny clones on the Binance Smart Chain. Things got so bad that Binance issued a call for action to get developers to adopt secure engineering practices. Crypto Core APT was linked with the Lazarus group further solidifying North Korea’s place as the primary threat to cryptocurrency exchanges around the world. This edition also features lot’s of excellent research papers, podcasts, and talks, but be sure to check out samczsun’s excellent write up on the critical Geth bug. With that grab some coffee, this is going to be one of the larger editions!
Events
- Proactive defense for DeFi protocols: Security as a never-ending process workshop on June 4th 12:30pm UTC+0 by Immunefi
News
- ClearSky released an updated report on the Crypto Core APT group attributing it to the North Korean Lazarus APT.
- Binance Smart Chain experienced 8+ DeFi hacks in the past few weeks prompting an official call for action to increase project security.
Hacks
- On May 29, 2021 Belt Finance price calculation method was exploited using flashloans to steal $6.2M.
- On May 27, 2021 BurgerSwap reentrance vulnerability was exploited to steal $7.2M worth of various crypto assets.
- On May 27, 2021 Wild Credit contract allowed it to be reinitialized which resulted in the theft of $700K. Luckily the attacker was front-run by a bot which returned stolen funds back to the project.
- On May 27, 2021 JulSwap was exploited using flash loans to steal $700K.
- On May 26, 2021 Merlin Labs, a Pancake Bunny clone on BSC, was exploited twice using the same performance minting and a new incorrect price calculation vulnerabilities resulting the loss of $680K and $540K respectively.
- On May 24, 2021 AutoShark Finance, a Pancake Bunny clone on BSC, reward mechanism was exploited using a flashloan which resulted in the loss of $750K (2.2K WBNB tokens).
Vulnerabilities
- Geth patched a critical vulnerability which could have resulted in a hard fork after it was responsibly disclosed by samczsun.
- Bitswift fixed a race condition in its web application after the vulnerability was responsibly disclosed by Yash Sodha using Immunefi platform.
- Keep team fixed a bug which could lead to the loss of signer fees after the vulnerability was responsibly disclosed by Certora.
Malware
- CryptoJacking —Journey of How Cryptomining Turned Evil? by Rakesh Krishnan discusses cryptojacking tactics and major campaigns.
Media
- Crypto’s Existential Threat MEV Panel with Phil Daian, Georgios Konstanopolus, Charlie Noyes
- MEV front-runners and arbitrage by Anatol Prisacaru
- FlashBots: How to make $1m per month as a Solidity developer with Stephane Gosselin & Robert Miller
- Community DeFi Bug Hunt by Carl Farterson
- Hacks Averted by Duncan Townsend
Research
- Elliptic released its Sanctions Compliance in Cryptocurrencies report which discusses evasion techniques including mixers, DEXes and no-KYC exchanges, privacy coins or just mining new coins themselves.
- Flashpoint released Investigating Hydra: Where Cryptocurrency Roads All Lead to Russia and Go Dark report calling attention to increased cryptocurrency activity on the marketplace.
- What to Do After You’ve Been Hacked by Immunefi helps DeFi projects create an incident response plan.
- There is Light in the Dark Forest by bloXroute discusses MEV risks and a new BackRunMe service to help users submit private transactions.
- An interesting honeypot contract found by Robert Miller (@bertcmiller)
- Large collection of smart contract audits by DeFiYield.
- Maximizing Your Arbitrage: Flash Loans by Patrick Collins
- Legendre PRF (Multiple) Key Attacks and the Power of Preprocessing
- SCSGuard: Deep Scam Detection for Ethereum Smart Contracts
- Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit
- Understanding Security Risks in DeFi by CertiK
Tools
- Ape Framework - The DeFi development tool for Pythonistas, Data Scientists, and Security Professionals.
- Ethernal - a private blockchain explorer for EVM-based chains.
Stay informed and see you in the next week’s edition!
- Peter Kacherginsky (iphelix)