BlockThreat - Week 11, 2022
Hubspot | Unchained | Deus DAO | Hundred Finance | Agave | Discord
Not the best week in blockchain security. More than $16M were stolen this week across DeFi projects on Ethereum, Fantom, Gnosis, and BSC chains. Price oracle manipulation, reentrancy, unsafe math, and other vulnerabilities in these hacks are nothing new making these losses unnecessary. Hubspot and Unchained PII compromises will likely result in another spike of spear phishing attacks targeting cryptocurrency users.
Scammers are also having a feast compromising more than a dozen NFT Discord channels and spamming them with fake airdrops while coming up with ever more elaborate schemes such as using spoofed transaction event logs. Romance scam artists have also picked up their pace with fake iOS crypto apps installed through Apple TestFlight and TF Signature vectors.
Be careful out there!
Enjoy reading BlockThreat? Help support this project by donating in the latest Gitcoin R13 round:
Also, consider becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
Blockchain Hackers Meetup VIII on March 24, 2022 in Barcelona, Spain.
Stolen funds from the 2017 Parity multisig wallet hack are on the move.
‘Spoof’ Tokens on Ethereum by Harith Kamarul discusses a variation of an airdrop scam using spoofed tx events.
NFT Scams and Pitfalls by nftnerds.
On March 15, 2022 Deus DAO lost $3M with a classic oracle manipulation attack.
On March 16, 2022 Unchained Capital, a crypto financial services provider, disclosed a 3rd part email marketing platform compromise resulting in the theft of customer PII including email addresses and usernames.
On March 17, 2022 APE DAO airdrop reward mechanism was manipulated to mint tokens worth $500K.
On March 18, 2022 HubSpot, a popular marketing platform, disclosed a compromise of its admin panel which granted attackers access to PII data for customers of BlockFi, Circle, Swan Bitcoin, Pantera Capital, NYDIG, and other cryptocurrency related businesses.
On March 20, 2022 Umbrella Network lost $700K as a result of an underflow in its withdraw function.
On March 20, 2022 Li Finance lost $600K due insufficient checks on external function permissions.
Nomadic Labs patched a transaction malleability flaw in Tezos Sapling protocol.
Optimistic time-travel by Yoav Weiss discusses two attack classes on optimistic rollups.
Optimism Infinite Money Duplication Bugfix Review by Immunefi.
How do trusted setups work? by Vitalik Buterin.
A fascinating timeline of MEV bots duking it out by @bertcmiller.
Scam token obfuscation trickery by BlockSec.
Smart Contract Sanctuary by tintin.