BlockThreat - Week 15, 2019

This week we will focus on evolving security risks to several crypto assets such as EOS undergoing a major governance shift, a potential availability issue discovered in Stellar, and an increased risk for reduced hash power for PoW assets due to China’s crackdown.

News:

• Block Producers change EOS constitution following voting gridlock— a major change to the governance of the EOS network with several security implications. The primary motion was to remove ECAF, an unelected arbitration body known to issue resolutions to freeze and transfer ownership of hacked accounts as well as revert malicious transactions. These capabilities are still available and may be used by the 21 elected block producers (BPs). However, according to the new constitution, BPs are no longer obligated to help with future cases of account compromise or hacks.
• China Plans to Ban Cryptocurrency Mining in Renewed Clampdown — a possible decrease in hash power may present a threat to the resistance of Proof of Work cryptocurrencies against 51% attacks. This is consistent with previous crackdown threats by China against miners, exchanges, and ICOs over the past years.
• Binance Partners with CipherTrace to Further Strengthen Compliance Culture — an interesting announcement that should help Binance boost its AML and blockchain investigation capabilities.

Bugs:

• Is Stellar As Secure As You Think? — an upcoming paper was announced that analyzes a risk of cascading failure in the Stellar network if just 2 validators are shut down. The paper may be referring to the over dependency of the Stellar network on the three official Stellar Nodes. The Stellar Development Foundation (SDF) has been recently diversifying their quorum sets to include more non-SDF validators.
• Fatal TransferMint Bug in Multiple TRC20 Smart Contracts — a vulnerability pattern was discovered by PeckShield team in several TRON contracts implementing TRC20 which can result in token inflation.

Hacks:

• Can a Hardware Wallet Get Phished? — details of a phishing attack targeting Trezor hardware wallet.
• Malicious browser extension targeting MyEtherWallet, Binance, Coinbase, and LocalBitcoins— a detailed thread on cookie and private key stealing browser extension.

Products:

• FireWall.X Mitigates the Risk of Attacks for Apps — an article discusses a novel solution by the SlowMist team to help defend EOS smart contracts. By embedding the FireWall.X library in a smart contract you can detect known bad actors and unwanted token transfer behavior.

Research:

• Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges — a fascinating paper and a corresponding website explore several fraud and security risks introduced by decentralized exchanges (DEX). They document several ongoing gas-replacement and front-running tricks currently being abused by bots as well as increasing incentives for miners to manipulate blocks, transaction ordering to manipulate trades.

That is all for this week in blockchain threat intelligence. On the fun side, check out Crypto, the movie. This direct to DVD flick is a bit cheesy but still fun to watch.