BlockThreat - Week 28, 2020

Continuing with the blockchain exploitation trend from last week, Bitcoin Gold has almost suffered a 51% attack if not for developers learning of a massive mining operation. Check out a thrilling incident report by Ravencoin folks racing against the clock to kick out attackers exploiting an inflation bug. Cashaa exchange had a few million dollars worth of crypto stolen and other news in this edition of BlockThreat.

Hacks

• On July 10, 2020 Bitcoin Gold developers announced an attempted 51% attack on their network. An attacker mined massive 1300 blocks on Nicehash in secret starting on July 1st. It is not clear how BTG developers learned of the impeding attack; however, they were able to secretly supply miners updated node software with a checkpoint at block height 640650. News of these actions were only made public after the attacker posted their chain on July 10th only to find their blocks dropped by legitimate miners. According to Crypto51.app, it costs only $297 per hour to attack Bitcoin Gold by renting hash power on NiceHash.
• Additional details have been posted about the Ravencoin inflation bug last week. In a detailed incident report, Ravencoin Vulnerability - WTF Happened?, asset developer has revealed that the bug was intentionally introduced by a throwaway Github account on January 15th, 2020. The malicious change was disguised as an addition of custom error messages while leaving out an important check which prevented minting of new RVNs. The minting has started in May and continued for months until they were accidentally discovered on June 29, 2020 by CryptoScope while debugging an issue in their blockchain explorer. After the discovery, Ravencoin developers went into a full incident mode until the fix that they have first secretly shared with RVN miners activated on July 4, 2020. By then, 300M RVN ended up on Binance and additional 7M RVN were traded away on OKEx. The race against the clock described in the incident report between developers trying to secretly push out the change and activate the soft fork while not tipping off the original and newer attackers is fascinating! Highly recommend the above read for many incident handling lessons and a gripping story telling by Tron Black.
• On July 10, 2020 Cashaa exchange lost 336 BTC after an attacker compromised one of its Blockchain.com wallets. No additional details are available.

Vulnerabilities

• Kraken Security Labs published two attacks for the newer Ledger Nano X hardware wallets. Both attacks rely on an insecure supply chain where a malicious party reflashes Ledger’s firmware. In the first scenario, Kraken researchers have reprogrammed Ledger to act as a keyboard to launch Kraken.com before booting into regular firmware. In the second scenario, a malicious firmware could turn off the display to aid in a social engineering attack. In both cases Ledger Live app reported device as genuine.

Research

• Ethereum Smart Contract Security Recommendations by Consensys.
• A survey of features introduced in Solidity v0.6.0 which help prevent common smart contract vulnerabilities such as reentrancy, mishandled exceptions, and others.
• Hunting for Re-Entrancy Attacks in Ethereum Smart Contracts via Static Analysis
• Decentralized Lightweight Detection of Eclipse Attacks on Bitcoin Clients

Tools

• Legions is a swiss army knife by Consensys Dilligence to interact with smart contracts and Ethereum nodes.

Fun

• What could be better than snakes on a plane? How about a 90s style flick about a billion dollars in crypto on an armored plane circling around the world while hosting an illegal gambling ring. Trailer.

Stay informed, stay healthy, and head over to /r/blocksec subreddit for blockchain security news through the week.

-Peter