BlockThreat - Week 46, 2021
Github | Celo | Nerve | Zenon | Conti
Welcome to BlockThreat!
In this rare week of relative quiet (only 4 DeFi hacks), we can finally kick back and enjoy amazing research coming out this week. From samczsun’s lecture in the Media section to Elliptic’s DeFi threat report to Proofpoint’s analysis of the North Korean actors this is the time to sharpen the saw before the next barrage.
From the dodged the bullet department, Github patched a vulnerability that let anyone modify arbitrary NPM packages which is basically every critical web3 project out there. Another great development is brought to you by Prodaft which hacked into Conti ransomware group infra and wrote an all revealing expose on how the ransomware group operates from the inside.
The few hacks that did happen this week follow a familiar patterns such as lack of authentication and validation in critical functions, and forks not paying attention to upstream hacks and getting exploited themselves (tip: subscribe to BlockThreat). One incident that stands out is concerning Celo’s Optics bridge with allegations of an insider taking over a critical contract.
Let’s dive into the news!
Canadian teenager arrested in a $46M crypto theft using a SIM swapping.
On November 15, 2021 Nerve Bridge lost $585K after a reward manipulation vulnerability was exploited to drain fUSDT and UST pools. The vulnerability is identical to the one previously exploited on the Synapse Bridge which itself a fork of vulnerable Saddle.Finance. The latter created a MetaPool implementation by translating Curve’s Vyper implementation into Solidity.
On November 20, 2021 Zenon Network $1M BNB pool was emptied after an attacker called an unprotected burn function to manipulate the LP price.
On November 21, 2021 Formation Fi lost $100K after an attacker exploited insufficient validation of the fee parameter to empty USDT wallet.
On November 21, 2021 Celo’s Optics bridge was compromised after an unknown party activated a recovery mode giving them access to all funds locked in the contract. cLabs team alleged insider threat as a likely culprit.
Reports of ongoing Binance Smart Chain syncing issues which significantly reduces network’s decentralization.
Enzyme Finance patched a unknown critical vulnerability in its vaults after receiving a notification from a third party.
Github fixed a vulnerability that could allow anyone to update any NPM package without authorization.
OpenZeppelin fixed a supply calculation bug in ERC1155Supply.
Do You Trust Links? Well, You Probably Shouldn’t by Harry Denley (MyCrypto) reveals a new scam abusing click-through domain detection in Twitter, Facebook, and other social media projects in phishing attacks.
SharkBot report by Cleafy reveals details of an Android trojan targeting banking and cryptocurrency accounts.
Elliptic published DeFi: Risk, Regulation, and the Rise of DeCrime report identifies significant growth in DeFi losses due to theft and fraud with $10.5B lost this year alone.
Conti ransomware group hacked by a Prodaft’s Threat Intelligence team to collect a treasure trove of indicators, tactics, and inside view into the operations of the group.
IRS Criminal Investigations unit published a 2021 report which notes several crypto related cases such as the seizure of $1B from Individual X in 2020, Bitcoin Fog arrest, Microsoft gift card scheme, and others. The Cyber Crime unit also posted a total of $3.5B in crypto since its founding in 2015.
Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals by ProofPoint explores one of the major threats to crypto exchanges and now DeFi projects.
Stellarfund Scam by TRM dives into on and off-chain investigation tracking multiple ponzi campaigns.
Evil Corp: 'My hunt for the world's most wanted hackers' by Joe Tidy (BBC)
Crosschain Security Guidelines 1.0 by Enterprise Ethereum Alliance.