BlockThreat - Week 15, 2022
Lazarus | Rarible | Beanstalk | Elephant | CreatFuture | FilDA
Hey folks!
This week Virgil Griffith goes to jail for 5 years. Did he really teach NK anything that new that helped them pull off the largest DeFi hack in history? Rarible patched not one but two XSS vulnerabilities that could allow token theft. A relatively rare, but dangerous governance attack succeeded against Beanstalk Farm. Oh and be sure to disable iCloud backups for your wallets, a new phishing campaign is about.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to support the newsletter and unlock the premium section with indicators, special reports, and searchable newsletter archives.
Events
Secureum TrustX - April 21-22 in Amsterdam and live streamed.
News
North Korea’s Lazarus Group identified as attackers behind the massive $625 Million Ronin Theft following the addition of theft address to the OFAC list by U.S. Treasury.
Virgil Griffith sentenced to 5 years for conspiracy to assist North Korea in evading sanctions.
Tornado Cash started banning OFAC sanctioned addresses on their Dapp. The ban does not apply to anyone using smart contracts directly.
Russia Arrests Alleged Co-Founder of World’s Largest Darknet Marketplace.
Losses From Security Incidents Reach Around $1.2 Billion by Beosin.
Scams
Discord scammer used a fake NFT marketplace used to steal user’s NFT.
Fraud, climate change and ‘pig butchering’ – welcome to the dark side of cryptocurrency.
Phishes
Ongoing phishing campaign targeting users’ MetaMask backups stored in iCloud. At least $650K was already stolen using this technique.
Hacks
On April 11, 2022 CreatFuture lost $1.9M due to a misconfiguration that allowed anyone to transfer funds.
On April 12, 2022 Elephant Money lost $22.2M due to a classic price oracle manipulation attack with a flash loan.
On April 12, 2022 FilDA lost $1.67M after a reentrancy vulnerability was exploited against ERC677 tokens.
On April 14, 2022 Rikkei FInance lost $1.1M after an exposed function was used to change the price oracle.
On April 16, 2022 Moonbirds NFT lost a number of tokens to someone gaming the raffle with a large number of wallets.
On April 16, 2022 FaceDAO lost $360K in a social engineering attack where a deployer was tricked into approving multiple transactions.
On April 17, 2022 Beanstalk Farms governance was subverted using a flash loan which resulted in the loss of $182M. The attackers have also sent another $250K to a Ukrainian donation address.
Vulnerabilities
Rarible fixed an XSS inside a malicious NFT that could be used to steal arbitrary tokens from users after it was responsibly disclosed by CheckPoint Security.
Rarible also fixed an XSS inside in user’s profile page after it was responsibly disclosed by Palisade Consulting.
Mass-Disclosure of Griefing Vulnerabilities by Yannis Smaragdakis (Dedaub), Damian Rusinek (SecureRing), and Paweł Kuryłowicz (SecureRing).
Coordinated disclosure of vulnerabilities affecting Girault, Bulletproofs, and PlonK by Jim Miller (Trail of Bits).
Analysis of ERC721R Protocol Vulnerability by TriathonLab.
Research
Fundraising Campaigns for ISIS Families by TRM Labs.
Beware of Undefined Behavior! — Underhanded Solidity Contest Winner 22 by ChainSecurity.
The $15b Convex Vulnerability — A Lesson on the Importance of Efficient Process Quality by DeFi Safety.
Solidity by Example has code snippets of known vulnerable code.
Blockchain security guide by Wufflz contains a nice collection of security tutorials including a complete listing of the first Secureum Bootcamp.
Tools
Premium Content
Indicators
FaceDAO Compromise
Ethereum: 0xaaaa3467ca1f70494ca8b821eef3e34de2c139e5