BlockThreat - Week 13, 2022
Ronin | Inverse | Mailchimp | Lazarus | Voltage | Rari | Discord
Hello readers!
Grab a large cup of coffee, because this is one heck of an edition! This week you will learn about a new record in DeFi hacks where a bridge lost $625M and didn’t even notice it missing for almost a week! The $1B hack doesn’t seem too far off. DeFi attackers are getting smarter by working around MEV bots while crafting exploits. NFT space got slammed with fake airdrops after scammers exploited flaws in multiple Discord bot extensions. Yet another 3rd party compromise (Mailchimp) continues fueling the phishing machine. From trojanized mobile wallet apps to fake crypto trading apps, Lazarus and other groups continue their hunt for your precious seed phrases. Be safe out there and stay informed!
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to support the newsletter and unlock the premium section with indicators, special reports, and searchable newsletter archives.
News
EU draft law adds security checks to all crypto transactions.
$540 Million Worth of 'Sleeping Bitcoins' From 2014 Move — BTC Possibly Linked to Cryptsy Theft.
Ex-Employee Claims Liquid Global Exchange 'Scapegoated' Her for $90M Hack.
Phishing
Fake Trezor data breach emails used to steal cryptocurrency wallets following the MailChimp compromise.
Ongoing phishing campaign using Discord’s QR login codes.
Nine NFT Discord servers compromised (including BAYC) using a recently introduced vulnerability in a popular Discord bot extension.
The Strange Details of the ApeCoin Twitter Scam from One Unlucky Victim of fake airdrops using hacked Twitter accounts.
Scams
Update on Ukrainian Crypto Donations by TRM documents scammer campaigns trying to profit from the war.
Hacks
On March 23, 2022 Ronin Network lost $625M after an attacker compromised 5 of its validators were compromised and generated valid transaction signature. Some of the stolen funds were deposited to FTX, Huobi and Crypto.com exchanges. The massive hack was only noticed 6 days later after a user reported trouble withdrawing the the bridge.
On March 26, 2022 Mailchimp lost mailing lists for 102 cryptocurrency related customers after bad actors got access to an internal tool by social engineering employees. Attackers used collected data to send phishing emails.
On March 29, 2022 Auctus Options beta contract lost $726K due to an exposed internal function.
On March 29, 2022 BasketDAO lost $1.2M due to a parameter injection vulnerability in its BMIZapper contract.
On March 31, 2022 Voltage Finance lost $4.67 after a reentrancy vulnerability was exploited on the Fuse chain.
On April 1, 2022 Multiple NFT Discord channels were compromised and users phished after vulnerabilities were discovered in several Discord bots.
On April 2, 2022 Inverse Finance lost $15.6M as a result of a price oracle manipulation vulnerability. Interestingly, the attacker carefully manipulated two separate token pairs to avoid MEV bots. Even more interestingly, Vee Finance attacker started moving funds to Tornado Cash around the same time as the Inverse Finance indicating a possible correlation.
On April 2, 2022 Phantasma Chain private key compromise allowed attackers to mint large amounts of SOUL and KCAL tokens.
Vulnerabilities
Rari Capital patched a critical reentrancy vulnerability thanks to responsible disclosure by samczsun, Hubert Ritzdorf, Yannis Smaragdakis, and Dedaub.
Tendermint fixed a race condition which allowed one to bypass faucet withdrawal limits after it was responsibly disclosed by CredShield.
Stargate Finance patched an unknown vulnerability in its bridge contract after it was responsibly disclosed by samczsun.
Profanity, an Ethereum vanity address generator, uses insecure random number generator parameter which could allow for private key brute forcing.
Redacted Cartel patched a critical vulnerability in its implementation of transferFrom function after it was responsibly disclosed by Tommaso Pifferi.
Jet patched an arbitrary account withdrawal vulnerability after it was responsibly disclosed by Charlie You.
Reports of an account spoofing vulnerability on OpenSea by minting to and transferring from a verified account.
Malware
Lazarus Trojanized DeFi app for delivering malware by Kaspersky.
Crypto malware in patched wallets targeting Android and iOS devices by ESET.
Probing the Activities of Cloud-Based Cryptocurrency-Mining Groups by TrendMicro.
Verblecon: Sophisticated New Loader Used in Low-level Attacks by Symantec.
Horde of miner bots and backdoors leveraged Log4J to attack VMware Horizon servers by Sophos.
Media
Trust No One: The Hunt for the Crypto King - a Netflix documentary on the mysterious death of QuadrigaCX’s founder.
Security in the NFT space - Forta’s biweekly security session.
Research
Verifying BokkyPooBah’s DateTime library using z3, cvc4, and SMTChecker.
Solving ParadigmCTF's JOP 🦘 & Why Foundry is OP for CTFs by plotchy.
Cross-Contract Reentrancy Attack by Inspex.
Accessing Private Data by SlowMist.
The Hitchhikers guide to war rooms and Smart Contract's secu incidents.
Extracting Godl [sic] from the Salt Mines: Ethereum Miners Extracting Value.
Measuring Miner Decentralization in Proof-of-Work Blockchains.
Tools
PeckShieldAlert chrome browser extension to automatically alert users if they visit a phishing site.
Premium Content
Indicators
BAYC Discord Attacker
Ethereum: 0xad7f0a2427f93bc8fc178a73ae0d2d188682884f
Inverse Finance Attacker
Ethereum: 0x117c0391b3483e32aa665b5ecb2cc539669ea7e9
Ethereum: 0x8b4c1083cd6aef062298e1fa900df9832c8351b3