BlockThreat - Week 45, 2021
Curve | Robinhood | REvil | Blizzard | OpenSea
Welcome to BlockThreat!
This week the DeFi ecosystem was rocked by malicious insiders, governance attacks, oracle price manipulations exploits. If you are not already on the lookout for phishing emails, then this week’s massive Robinhood hack should serve as a solid signal for a coming barrage. Europol continues dismantling ransomware groups with a number of key arrests around the world. In the fun news department, thieves in San Francisco are setting up one helluva mining rig while NSA is looking for “a backdoor into the blockchain.”
Europol announced arrests of REvil and GangGrab ransomware affiliates in Romania and Kuwait part of international GoldDust operation involving 17 nations.
Physical offices of the South Korean Upbit exchange was almost set on fire by a disgruntled customer.
Thieves rip bitcoin ATM from Barcelona crypto-store recorded on a wild video documenting the ordeal.
OpenZeppelin released Smart Contract Security Registry to help track projects associated with a smart contract address as well as a security contact in case a vulnerability is discovered.
A scam campaign extorts Instagram users to record Bitcoin-scam videos to get access back to their stolen funds back.
Wired published an interesting article on anonymous Twitter users hunting crypto scammers in their spare time.
On November 3, 2021 Robinhood was targeted with a social engineering attack which resulted in unauthorized access to an internal customer management tool. Robinhood reported more than 5 million customer emails, 2 million full names, and other data was compromised.
On November 10, 2021 Curve suffered an attempted governance attack by Mochi which minted large amounts of its USDM token to purchase CVX tokens used in voting. Curve responded with an emergency DAO action to restrict Mochi ability to vote in changes in the protocol.
On November 13, 2021 Blizzard, an Avalanche-based DeFi project, lost $1M in assets after a couple of malicious insiders colluded to exploit a previously reported vulnerability.
On November 13, 2021 Welnance, a BSC-based DeFi project, lost $100K in an oracle price manipulation attack.
OpenSea patched a critical vulnerability which could allow bad actors to mint NFTs on behalf of unwilling 3rd parties after it was responsibly disclosed by @fuckingrug. The disclosure process itself caused some disagreement in negotiating the bounty size.
Harvest Finance patched a vulnerability in its proxy contract after it was responsibly disclosed by the Dedaub team using Immunefi.
TrendMicro reports on TeamTNT targeting vulnerable docker hub accounts to install Monero miners.
Europol published Internet Organized Crime Threat Assessment (IOCTA) 2021 report which includes detailed treatment of ransomware and the use of cryptocurrencies in dark web marketplaces.
Manipulating Uniswap v3 TWAP (Time-Weighted Average Price) by Michael Bentley.
Recovering Assets from a Hacked Account with Flashbots by Kane Wallmann
Mechanics of reorgs in PoS Ethereum thread by caspar.
Trojan Source and Solidity thread by Alex Beregszaszi discusses of solidity handling Unicode characters and security implications.
Bitcoin Explained episode explores a July 12th incident on the bitcoin network where a malicious party was flooding the network with fake peer addresses. A recently published whitepaper explores the attack in more details and how it could be used to map network topology.
Top 10 DeFi Security Best Practices by Chainlink and CertiK
Etherscan released their own token approval checker, a critical tool which can be used to quickly revoke access from compromised or phishing smart contracts.
Ethereum Node Crawler by Ethereum Foundation.
TeamTNT mining malware:
OFAC addresses related to Sodinokibi/REvil actors: