BlockThreat - Week 48, 2020

Welcome to this week’s edition of Blockchain Threat Intelligence. Today we are going to cover an all out war that broke on the newly forked BCH ABC blockchain, a couple of minor DeFi incidents, and plenty of research material to keep you occupied during the winter season. Enjoy and try to avoid stealing Borat’s identity as a KYC on exchanges. Chenqui, thanks for your donations in the latest Gitcoin round.

News

• Chinese police reports that it seized $4.2B worth of cryptocurrencies from PlusToken scammers. A related report by Onchain Research reveals additional details on how CCP handled seized funds.
• BlockSeer, a blockchain analytics company, introduces a beta Bitcoin mining pool which will only include “legitimate” transactions. The experiment raises questions about trying to censor the inherently decentralized network and the futility of the effort.

Hacks

• Starting on November 20th, 2020 a voluntarism.dev miner group conducted a 51% attack to against the newly forked Bitcoin Cash ABC blockchain which introduced a contested 8% by mining fee. The incident is an interesting case study where an attacker is motivated by a desire to cause damage to the network even at a personal financial cost.The attack was executed in multiple stages first starting with mining (mostly) empty blocks and filling mempool with large amounts of 0.002 BCHA dust transactions. The initial attack occasionally allowed legitimate miners to successfully publish a block with transactions. So, on November 27th, the attacker has also started to actively orphan blocks which did not use a modified client with a much higher 100% mining fee.On November 30th, Mining-Dutch, ViaBTC pools and an unknown miner have invalidated an attacker block in secret and orphaned 172 attacker blocks starting at block 662673. The malicious miner has not responded to the counter-attack and has since started moving their accumulated BCHA coinbase rewards.Interestingly, coinbase transactions were actively used by both the attacker and defenders as a communication medium. Attacker’s coinbase messages include:
  
  Nov 25th 2020: bcha dump | voluntarism.dev
  不管黑哈希白哈希，能维护矿工利益的就是好哈希 voluntarism.dev:6174 x/x
  Nov 27th 2020: run the numbers | voluntarism.dev
  voluntarism.dev:6174 x/x | the price of freedom
  
  One of the miners show back with the alleged identity of the attacker with a coinbase message “voluntarism.dev, aka asicseer.com and u/ugtarmas, is a bully”.
• On November 29th, 2020 a vulnerability in SushiSwap was exploited to steal $15K from the platform. The attack does not appear to be malicious, but rather the result of someone experimenting with the platform.
• On November 26, 2020 about $88.4M worth of collateral were liquidated on the Compound platform caused by the Coinbase price oracle reporting a spike in DAI to $1.3. While it’s not clear if the price spike was the result of a malicious action, it is a reminder into the crucial role price oracles play in securing the DeFi ecosystem.

Research

• Token Interaction Checklist by Consensys Dilligence explores various security pitfalls when interacting with a variety of Ethereum Token standards.
• Governance Minimization by Fred Ehrsam discusses challenges with the DAO governance design present in may DeFi and blockchain projects.
• 88mph Incident Post-Mortem from Bacon Lab developers documents the race to not only patch the initial minting exploit, but also secretly rescue funds due to an exploit privately reported by samczsun. Interestingly, the later recovery used SparkPool’s Taichi Network to avoid front-running.
• Flashbots: Frontrunning the MEV Crisis article discusses multiple approaches to combat risks posed by miner-extractable value (MEV) attacks.
• Write-ups and lessons learned from Damn Vulnerable #DeFi where Damian Rusinek goes over solutions for all of the challenges in the wargame.
• Cornichon is a pre-hack environment to study the Pickle.Finance incident.
• ModCon: a model-based testing platform for smart contracts.
• Taming Callbacks for Smart Contract Modularity.
• A Survey on Vulnerability Detection Tools of Smart Contract Bytecode.
• Mitigating Channel Jamming with Stake Certificates from folks at BitMEX.
• Security Best Practices for a ETH2 validator beaconchain node.
• Eth2 Slashing Prevention Tips.

Tools

• VSCode Solidity Metrics by Consensys Dilligence is a fantastic tool for Solidity auditors which provides a range of useful data to quickly triage smart contract’s complexity, capabilities, identify privileged and public functions, and many other useful stats. The latest update introduces library doppelganger scanner to quickly identify library code.
• MEV Inspect by Flashbots projects analyzes Ethereum blockchain to better understand miner-extractable value (MEV) opportunities on a variety DeFi projects.

Events

• 0xPOLAND competition mystery revealed.

That’s all for this week folks. Stay healthy, stay curious and see you next week!

-Peter