BlockThreat - Week 6, 2021

Lazarus group was implicated in last year’s KuCoin exchange hack. Chainalysis published a fantastic crypto crime report detailing exploits of many criminal groups as well as a detailed breakdown of Lazarus cryptocurrency money laundering operations. Joker’s Stash is shutting down, three major DeFi hacks happened last week with more than $41M stolen, KERNEL Security published conference videos, another excellent tool published by Consensys Dilligince, and more in this week’s edition.

Crime

• Chainalysis published its 2021 Crypto Crime Report. The report notes an overall decrease in cryptocurrency theft from exchange hacks and scams. On the less positive side, ransomware theft and DeFi incidents were on the rise. The report notes in-depth coverage of North Korea’s Lazarus group money laundering activity following the massive KuCoin $275M+ hack.
• A UN Panel reported that North Korea is laundering the proceeds of cryptocurrency exchange hacks to fund its nuclear program.
• Joker’s Stash marketplace is closing. In its six year run, the darknet marketplace has amassed almost 60K BTC in commission (~$2.5B).
• Feds’ $3 billion Bitcoin seizure tied to corrupt federal agents. US DoJ released a statement in November of last year where it announced 70K BTC were voluntarily transferred by an anonymous individual. The article points to Shaun Bridges, a former USSS agent in prison for laundering Silk Road funds, as the likely person who turned in the stolen bitcoins.
• Egregor ransomware operators arrested in Ukraine. Launched in 2020, the Ransomware-As-A-Service group stole up to $50M from 200+ victims.
• 100+ Financial Institutions hit with DDOS extortion attacks demanding bitcoin as a ransom.

Hacks

• On February 12th, 2021 Alpha Homora v2 was exploited which resulted in the theft of $38M worth of USDC, DAI, USDT, and WETH. An insider is suspected to have executed the attack.
• On February 9th, 2021 BT.Finance was exploited using a similar exploit as the recent Yearn hack to steal $1.7M.
• On February 8th, 2021 Growth DeFi rAAVE pool was exploited by forcing a liquidity pair containing a fake token which resulted in the theft of $1.3M worth of ETH.
• On February 8th, 2021 Blockfolio’s news/signal feed was hacked to display offensive content. No additional services were affected by the incident.
• On February 7th, 2021 KeepChange exchange was hacked which resulted in the theft of customers’ PII including email addresses and password hashes. The exchange noted that attackers attempted but failed to steal cryptocurrency from users’ wallets.

Vulnerabilities

• A vulnerability in an arbitrage bot was discovered by the Dedaub team. The team detected a flawed approver function by reverse engineering a closed source contract and proceeded to whitehat hack the contract to prevent the theft of almost 80K in assets.
• Avalanche network went down as a result of a consensus failure after a bug in the minting verification logic was triggered by a heavy load. The incident did not result in a monetary loss.
• Curve Finance shut down the Yearn Finance v2 pool after discovering a vulnerability.

Projects

• Code 423n4 project aims to promote open code reviews using contests.

Media

• KERNEL Security Track 1 - Lay of the Decentralized Land with Corey Petty
• KERNEL Security Track 2 - Automated Tooling with Joran Honig.
• KERNEL Security Track 3 - Manual Review with OpenZeppelin with Leo Arias.
• KERNEL Security Track 4 - DeFi Safety - Transparency and Process Quality with Rex Hygate.

Research

• Flashbots Transparency Report — January 2021 by thegostep discusses the latest state of front-running bots including a whitehat rescue of NFT funds from a compromised wallet with @samczsun.
• Fantastic resource by Origin Protocol security team which publishes DeFi incident reports with detailed analysis within 24 hours of their occurrence.
• How to keep Crypto Exchange secure? Part 1/2 by Pawel Kurylowicz offers a great survey of exchange security controls.
• ArmorFi Bug Bounty Postmortem by Immunefi.
• Under the Armor by Rekt is an investigative report proving foul play in the claims of theft made by an ArmorFi user.
• An Introduction to Solidity's Fuzz Testing Approach by Bhargava Shastry.
• Low-cost attacks on Ethereum 2.0 by sub-1/3 stakeholders.
• Nour Haridy proposed an interesting “Bloxy Dorking” technique to search for vulnerabilities on the Bloxy platform similar to Google Dorks.
• How Smart Contracts Can Be Automatically Verified by Shard Labs discusses a new tool to pull and verify smart contract source code.

Tools

• Tarantula by Consensys Dilligence a tool to help with fault localisation.

Stay informed, stay healthy, and see you next week!

- Peter Kacherginsky (iphelix)