BlockThreat - Week 46, 2021

Github | Celo | Nerve | Zenon | Conti

Welcome to BlockThreat!

In this rare week of relative quiet (only 4 DeFi hacks), we can finally kick back and enjoy amazing research coming out this week. From samczsun’s lecture in the Media section to Elliptic’s DeFi threat report to Proofpoint’s analysis of the North Korean actors this is the time to sharpen the saw before the next barrage.

From the dodged the bullet department, Github patched a vulnerability that let anyone modify arbitrary NPM packages which is basically every critical web3 project out there. Another great development is brought to you by Prodaft which hacked into Conti ransomware group infra and wrote an all revealing expose on how the ransomware group operates from the inside.

The few hacks that did happen this week follow a familiar patterns such as lack of authentication and validation in critical functions, and forks not paying attention to upstream hacks and getting exploited themselves (tip: subscribe to BlockThreat). One incident that stands out is concerning Celo’s Optics bridge with allegations of an insider taking over a critical contract.

Let’s dive into the news!

News

Hacks

  • On November 15, 2021 Nerve Bridge lost $585K after a reward manipulation vulnerability was exploited to drain fUSDT and UST pools. The vulnerability is identical to the one previously exploited on the Synapse Bridge which itself a fork of vulnerable Saddle.Finance. The latter created a MetaPool implementation by translating Curve’s Vyper implementation into Solidity.

  • On November 20, 2021 Zenon Network $1M BNB pool was emptied after an attacker called an unprotected burn function to manipulate the LP price.

  • On November 21, 2021 Formation Fi lost $100K after an attacker exploited insufficient validation of the fee parameter to empty USDT wallet.

  • On November 21, 2021 Celo’s Optics bridge was compromised after an unknown party activated a recovery mode giving them access to all funds locked in the contract. cLabs team alleged insider threat as a likely culprit.

Other Incidents

Vulnerabilities

Scams

Malware

  • SharkBot report by Cleafy reveals details of an Android trojan targeting banking and cryptocurrency accounts.

Media

Research

Premium Content

Indicators

This post is for paid subscribers