BlockThreat - Week 27, 2020

Stand-alone blockchain vulnerabilities are rare but they still happen. Ravencoin was exploited with an inflation bug to mint 31M RVN while Tendermint patched up a DoS vulnerability. Another DeFi project was exploited to steal $900k. On the happier side of the week, our hero Harry hacked a phishing campaign C2 to save $5k worth of crypto for users who downloaded a fake wallet software.

Vulnerability

• Inflation bug was discovered and exploited in Ravencoin. $5.1M worth of RVN (31M coins or 1.5% of the total supply) were minted and already deposited to exchanges.
• A successfully exploited vulnerability in Vether resulted in $900k worth of VETH loss.
• Tendermint DoS vulnerability allowed block producers to include signatures for the wrong block resulting in a network halt on networks using the vulnerable version. The Cosmos network was using an unaffected version of Tendermint.
• A potential social engineering attack vector in Ledger Live wallet when dealing with Bitcoin’s Replace by Fee (RBF) transactions. The wallet increases user’s balance with the value of an unconfirmed transaction and does not decrease it when it is cancelled.

Research

• Harry’s quest to hack the phishers and save (and return) $5000 worth of crypto. The phish involved a fake Trust Wallet app on Google Play store and some really bad php code. You are my hero!
• Epicenter episode with Dan Guido: Trail of Bits - The Evolution of Smart Contract Security
• Ethainter - A Smart Contract Security Analyzer for Composite Vulnerabilities

Crime

• UCSF was forced to pay $1.14M or 116.4 BTC to ransomware attackers.
• Cryptocurrency Scam Book

Thanks for joining me this week and see you in another edition of Blockchain Threat Intelligence newsletter. Head over to /r/blocksec for up to date information on the current threats.

-Peter