BlockThreat - Week 11, 2022
Hubspot | Unchained | Deus DAO | Hundred Finance | Agave | Discord
Hey folks,
Not the best week in blockchain security. More than $16M were stolen this week across DeFi projects on Ethereum, Fantom, Gnosis, and BSC chains. Price oracle manipulation, reentrancy, unsafe math, and other vulnerabilities in these hacks are nothing new making these losses unnecessary. Hubspot and Unchained PII compromises will likely result in another spike of spear phishing attacks targeting cryptocurrency users.
Scammers are also having a feast compromising more than a dozen NFT Discord channels and spamming them with fake airdrops while coming up with ever more elaborate schemes such as using spoofed transaction event logs. Romance scam artists have also picked up their pace with fake iOS crypto apps installed through Apple TestFlight and TF Signature vectors.
Be careful out there!
Enjoy reading BlockThreat? Help support this project by donating in the latest Gitcoin R13 round:
Also, consider becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
Events
Blockchain Hackers Meetup VIII on March 24, 2022 in Barcelona, Spain.
News
Senator Elizabeth Warren introduces bill targeting Russian crypto use amid sanctions.
Stolen funds from the 2017 Parity multisig wallet hack are on the move.
Razzlekhan: The Untold Story Of How A YouTube Rapper Became A Suspect In A $4 Billion Bitcoin Fraud.
Scams
US Justice Department Returns Stolen Bitcoin to Victim of Government Imposter Scam.
‘Spoof’ Tokens on Ethereum by Harith Kamarul discusses a variation of an airdrop scam using spoofed tx events.
NFT Scams and Pitfalls by nftnerds.
A barrage of NFT Discord channels compromised to advertise fake airdrops with whopping $800K stolen from Rare Bears users.
Hacks
On March 15, 2022 Deus DAO lost $3M with a classic oracle manipulation attack.
On March 15, 2022 Hundred Finance and Agave projects were both exploited due to a reentrancy vulnerability with $6.2M and $5.5M lost respectively.
On March 16, 2022 Unchained Capital, a crypto financial services provider, disclosed a 3rd part email marketing platform compromise resulting in the theft of customer PII including email addresses and usernames.
On March 17, 2022 APE DAO airdrop reward mechanism was manipulated to mint tokens worth $500K.
On March 18, 2022 HubSpot, a popular marketing platform, disclosed a compromise of its admin panel which granted attackers access to PII data for customers of BlockFi, Circle, Swan Bitcoin, Pantera Capital, NYDIG, and other cryptocurrency related businesses.
On March 20, 2022 Umbrella Network lost $700K as a result of an underflow in its withdraw function.
On March 20, 2022 Li Finance lost $600K due insufficient checks on external function permissions.
Vulnerabilities
Nomadic Labs patched a transaction malleability flaw in Tezos Sapling protocol.
Malware
Media
How to Foundry with Brock Elmore.
Web3 Security: The Blockchain is Your SIEM by Tal Be’ery.
Research
Optimistic time-travel by Yoav Weiss discusses two attack classes on optimistic rollups.
Optimism Infinite Money Duplication Bugfix Review by Immunefi.
How do trusted setups work? by Vitalik Buterin.
A fascinating timeline of MEV bots duking it out by @bertcmiller.
Extorsionware: Exploiting Smart Contract Vulnerabilities for Fun and Profit.
Scam token obfuscation trickery by BlockSec.
Smart Contract Sanctuary by tintin.