BlockThreat - Week 26, 2020

Another week, another DeFi exploit or two. Unfortunately, this time the bad folks were able to steal $500k worth of tokens. It’s too bad Balancer devs dismissed an earlier bug bounty report. ClearSky released a detailed report on CryptoCore APT which is dedicated to breaking into cryptocurrency exchanges. On a more fun side checkout someone almost getting caught by a honeypot smart contract and submit your blockchain security related talk to Defcon’s Blockchain Village.

Hacks

• Two Balancer multi-token pools were exploited resulting in a loss of $500k. The attacker used a flash loan to exploit a vulnerability in the way Balancer deals with deflationary tokens. In the incident report by Balancer, the team revealed that the issue was reported to their bug bounty but dismissed as impractical to exploit.

Vulnerabilities

• Two vulnerabilities were reported in Atomic Loans smart contracts which could allow a malicious borrower to unlock their BTC collateral without repaying their loan by front-running a loan cancellation transaction. The vulnerability was responsibly disclosed and patched by the developer.

Events

• Defcon’s Blockchain Village is back this year and its CFP is now open. Last year, the village featured a number of excellent blockchain security related talks and multiple CTF competitions.

Malware

• Another day, another XMR cryptojacking malware. Palo Alto published a report on two variants of Lucipher malware which use an arsenal of exploits targeting Windows hosts.
• A more stealth approach to cryptojacking uses malicious Docker images to mine Monero.

Crime

• CryptoCore APT threat intelligence report by ClearSky Security provides an in-depth analysis of group’s tactics, infrastructure, and indicators. CryptoCore has stolen approximately $200M over the last two years while attacking exchanges in United States, Japan, and other countries. The group is unique in its focus on cryptocurrency exchanges as opposed to more general financial APTs.
• Gone Phishing with Malware and Bitcoin analyzes DOJ’s forfeiture complaint against 113 cryptocurrency accounts used in a mass phishing campaign to spread North Korean Fallchill malware and infiltrate an exchange.
• $188 million in ETH tied to PlusToken Ponzi moves for first time since December

Research

• A fun writeup on a honeypot contract found on Ethereum.
• Double spend attacks in the PoS network is an interesting exploration of this common attack pattern on staking network.
• Counting Down Thunder: Timing Aacks on Privacy in Payment Channel Networks
• Minerva: The curse of ECDSA nonces
• CoinPolice: Detecting Hidden Cryptojacking Attacks with Neural Networks
• Remote Side-Channel Attacks on Anonymous Transactions

That’s all for this week in Blockchain Threat Intelligence. Be sure to check out /r/BlockSec for more up to the minute news and see you all next week.

-Peter