BlockThreat - Week 5, 2021
Yearn | DeFlash | ArmorFi | Paradigm CTF | FlyingAtom
Welcome to this week’s edition of Blockchain Threat Intelligence! First congratulations Team Dilicious (Consensys Dilligence) for winning the amazing Paradigm CTF organized by @samczsun, @gakonst, @TylerCrimm and others.
Another major DeFi hack this year where Yearn Finance lost $11M. Critical vulnerabilities were responsibly disclosed to multiple DeFi projects including a $1.5 bug bounty collected by Alexander Schlindwein from ArmorFi. Responsible disclosure is a very welcome trend in the industry plagued by vulnerabilities!
On a much sadder note, an exchange in Poland was physically robbed with multiple employees injured. Unfortunately physical attacks while relatively rare have devastating effects on human lives when they do occur.
This week’s edition also features a few interesting research articles on front-running, flash loans, smart contract testing. Let’s dive into the news, but first a note from friends and sponsors at Halborn:
Halborn is an award-winning, enterprise grade cybersecurity advisory firm working with some of the best in blockchain and DeFi including Blockfi, Bancor, Ava Labs and many more. We offer Security Advisory as a service, Advanced Penetration Testing, Smart Contract Auditing, Key Management and DevOps.
Follow on Twitter
We’re Hiring!
Crime
- Police seize $60 million of bitcoin! Now, where’s the password? is a curious case of law enforcement being unable to access criminal’s funds.
Hacks
- On February 4th, 2021 a vulnerability in Yearn’s v1 yDAI vault was exploited which resulted in a $11M loss. Multiple exploit analysis reports were published all pointing to a sophisticated attacker using a chain of transactions to manipulate the pool to yield profit. The hack was detected and mitigated within an hour of the first transaction which helped minimize further damages. Interestingly Tether has already frozen 1.7M of stolen funds.
- On January 22nd, 2021 office of the FlyingAtom was robbed by an armed attacker which resulted in the theft of 120K worth of gold and injuries of two employees.
Vulnerabilities
- DeFlash.finance moved users funds after a vulnerability was responsibly disclosed that could have resulted in a $580K loss. Dedaub team has an excellent writeup on reverse engineering closed source contract to exploit the flaw.
- A vulnerability in ArmorFi was discovered and responsibly disclosed by Alexander Schlindwein through the Immunefi platform. As a reward, Alexander earned a whopping 1.5M bounty and an offer by the ArmorFi’s CTO to a get a tattoo of choice.
- OpenZeppelin fixed an ERC777 reentrancy vulnerability after responsibly disclosed by @ritzdorf and @antonper.
- Dark Forest v0.5 artifact minting randomness algorithm was found to be vulnerable and several PoCs were published.
- Multiple vulnerabilities reported in Typhoon.Cash which may result in griefing, front-running, and integer overflow attacks.
Conferences
- 2nd International Workshop on Smart Contract Analysis (WoSCA 2021) call for papers deadline of May 14th was announced. Check out Confessions of a smart contract paper reviewer for tips on submitting a paper.
Competitions
- Paradigm CTF, one of the best blocksec CTFs I’ve seen, is now over with three winners announced. Congratulations Consensys Dilligence for placing 1st! You can find solutions on OpenBlockSec’s Awesome BlockSec CTF list.
Media
- What the hell are the blockchain people doing & why isn't it a dumpster fire? - Building Better Systems Podcast with Dan Guido.
Research
- Return to the Dark Forest by Rekt covers services offered by bloXroute. bloXroute responded refuting some of the claims made.
- 4 effective strategies to come up with Scribble annotations.
- Build a Flash Loan Arbitrage Bot on Infura, Part I.
- Build a Flash Loan Arbitrage Bot on Infura, Part II.
- Insuring Crypto: The Birth of Digital Asset Insurance
Thanks for joining me in this week’s edition and see you all next week!
- Peter Kacherginsky (iphelix)