BlockThreat - Week 47, 2020
Pickle | 88mph | Origin | GoDaddy | NiceHash | Liquid
Four separate DeFi projects were exploited last week with $30M worth of crypto stolen, GoDaddy had its own Twitter moment with multiple cryptocurrency-related projects attacked, scammers are getting creative with DEX, and more in this week’s edition of Blockchain Threat Intelligence.
Crime
- Social engineering campaign targeting GoDaddy employees used to attack multiple cryptocurrency businesses including NiceHash, Liquid Exchange, and others.
- Scammers are creating fake liquidity pools on DEXs such as Uniswap to trick users into purchasing doppelgänger tokens. For example, a fake Deriswap token was created and immediately deployed on Uniswap. Within minutes, the scammer made off with a ~92 ETH profit.
Hacks
- On November 21, 2020 Pickle Finance’s pDAI PickleJar was hacked which resulted in the loss of 19.76M DAI. A whitehat team was able to quickly analyze and replicate the exploit and help Pickle Finance implement mitigations. Interestingly, the loss was covered by COVER protocol insurance.
- On November 18, 2020 NiceHash’s DNS records were taken over by attackers. The hack is the latest in the series of attacks on cryptocurrency projects hosted on GoDaddy.
- On November 17, 2020 two separate vulnerabilities were discovered in the 88mph project. The first money printing bug was exploited by an unknown attack and resulted in a $100K loss. The second vulnerability was responsibly disclosed by samczsun and used to rescue the remainder of funds in the Uniswap pool.
- On November 16, 2020 Origin Protocol contract was exploited using a reentrancy vulnerability in the mint logic. The attack resulted in a $7.7M loss.
- On November 16, 2020 A price oracle weakness in the Cheese Bank DeFi contract was exploited using a flash loan attack which resulted in a $3.3M loss.
- On November 13, 2020 Liquid exchange’s DNS record was taken over by an attacker through social engineering of GoDaddy. The compromise may have resulted in the loss of login and personal information.
Research
- Modelling Attacks in Blockchain Systems using Petri Nets.
- Demystify the dark forest on Ethereum - Sandwich Attacks.
Competitions
- 0xPOLAND is an ongoing competition challenging players to crack open a puzzle in a smart contract.
Stay informed, stay healthy, and see you next week!
-Peter