BlockThreat - Week 42, 2021
CoinMarketCap | Kusama | Polygon | PancakeHunny | Youtube | CreatureToadz
Welcome to BlockThreat!
This week featured two critical blockchain protocol vulnerabilities on Polygon and Kusama networks. Unfortunately, the latter was only discovered after it was already exploited. On even less fun side, CoinMarketCap lost 3.1M subscriber email accounts so brace yourselves for the crypto phishing barrage. We have also observed a fascinating live chat with a 17 year old Discord NFT hacker/phisher caught red handed which revealed some of the techniques used in a number of recent crypto Discord server takeovers.
In other news, the new National Cryptocurrency Enforcement Team (NCET) has a director role opening to lead the team. Also, be sure to check out a fun CTF challenge from the Paradigm CTF team.
Let’s dive into the news:
GCHQ to use new cyber force to hunt ransomware gangs. The announcement follows a revelation of an FBI, Cyber Command, SS join operation to take down REvil infrastructure.
On October 19, 2021 CreatureToadz NFT discord moderator account was compromised using an unidentifed technique involving screen sharing and a leaked Webhook URL. The compromised account was used to direct users to a phishing site and steal $300K worth of ETH. Amazingly, while hosting a Twitter Spaces chat, moderators identified the attacker who was also in the chat and gave a lengthy interview. The attacker promptly returned all of the stolen funds after the discovery. NBA Topshots, MaskByte, and other NFT discord projects were compromised in a similar fashion.
Twitter: @Articles (HEERR)
Phishing campaign targets YouTube creators with cookie theft malware by Ashley Shen (Google TAG) describes an ongoing cookie theft campaign targeting YouTube creators to push cryptocurrency scam videos.
On October 12, 2021 CoinMarketCap customer database was breached resulting the leak of 3.1M user email addresses. As with previous such leak, expect to see an increase in cryptocurrency related phishing attacks.
On October 12, 2021 Karura, a Kusama’s parachain, lost $3.5M worth of KSM tokens after an attacker injected malicious XCM (cross-chain message) transactions exploiting vulnerable code base. Most of the stolen funds were reclaimed through a governance action.
On October 18, 2021 WeDEX lost $100K after an attacker was able to continuously call emergencyWithdraw() function due to a misconfiguration.
On October 20, 2021 PancakeHunny lost $2.3M worth of BNB and TUSD after a profit inflation bug was exploited by an attacker further amplified by flash loans.
On October 20, 2021 AVATerra token on Avalanche C-Chain suffered a total loss after a number of users executed an unprotected mint().
Avalanche Sample TX: 0xcebe6a9fd60986b40c55014a68e89abd2cc330d2d5dce6493f4509712b3a0602
Unlock Protocol patched a critical vulnerability that could allow anyone to burn tokens from arbitrary addresses.
Geth patched a vulnerability in the P2P protocol that could result in node crashing or halting.
Polygon fixed a critical double spend vulnerability in the Plasma Bridge after it was responsibly disclosed by Gerhard Wagner. The whitehat collected a cool $2M bounty thanks to the bug bounty program hosted by Immunefi.
Alpha Finance patched a vulnerability in its Alpha Homora V2 contract which allowed MEV bots to arbitrage a significant slippage percentage.
Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor by Sophos reveals multiple compromised NPM packages.
Hitting the BlackMatter gang where it hurts: In the wallet by EmsiSoft shares a story of a flaw in a ransomware family which was used to help victims decrypt their files.
Three Attacks on Proof-of-Stake Ethereum by Ethereum Foundation and Stanford University researchers outlines several attacks that may cause manipulate validator profits, cause reorgs and chain delays.
For $200, You Can Trade Crypto With a Fake ID by Anna Baydakova (CoinDesk) explores dark web marketplaces trading accounts, fake IDs and identities to help scammers access popular cryptocurrency exchanges.
How To Prevent NFT Trait Sniping In Your PFP Project by Justin Hunter describes a remedy to a common exploit haunting recent NFT launches using a new submarining feature on the Pinata IPFS platform.
Flashloan monitor by BlockSecTeam
Help support BlockThreat!
Over the past two years, BlockThreat has gained more than a thousand followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes 10+ hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
Stay informed, stay healthy and see you in the next week’s edition!
- Peter Kacherginsky (iphelix)