BlockThreat - Week 20, 2023
Tornado | Swaprum | Ledger | Trezor | KeePass
This week features concerning news about hardware wallets. Ledger is planning to add a feature which can extract private keys great for backups and government subpoenas while security researchers are dissecting circulating maliciously backdoored Trezor wallets. If that didn’t get you worried, then you should immediately upgrade your KeePass software because a public PoC was published to extract your master password from memory.
The one notable exploit this week involved an attack on Tornado Cash’s governance staking contract. Previous governance attacks involved either forced votes using flashloans (e.g Beanstalk) or simply submitting a malicious proposal and hoping that no one would notice. However, this exploit is the first known governance attack using a metamorphic contract or “Wild Magic” as described by Jason Carver back in 2019 to trick DAO’s governance. While the total compromised amount is only average ($3.2m stolen), the hack opens a pandora’s box for other governance protocols which should be on a lookout for any proposals that can self-destruct or otherwise modify their behavior.
Detailed indicators for the above and other incidents this week are available in the premium section below.
On the bright side, this edition features far more patched vulnerabilities and research papers than hacks which I hope you can use to strengthen your defenses.
Let’s dive into the news!
Ledger Crypto Wallet Under Fire Over Seed Phrase Recovery Service. The incident raised questions about trust assumptions made on hardware wallets.
Ongoing permit phishing attack nets bad actors $37m+ on Ethereum.
Reports of a new phishing scam on Discord targeting crypto ecosystem.
Swaprum pulled a $3m rug on Arbitrum.
On May 20, 2023 Tornado Cash DAO lost $3.2m as a result of a governance attack using a metamorphic proposal. Interestingly, the DAO detected one of the exploit preparation steps but failed to find the malicious proposal.
On May 19, 2023 AAVEv2 on Polygon broke WETH, WBTC, USDT, and WMATIC pools as a result of a governance proposal compatibility issues specific to the Polygon network deployment.
KeePass vulnerability allows attackers to access the master password. A PoC master password dumper is now publicly accessible.
Zellic reported a critical vulnerability in all Move-based L1 including Aptos, Sui, Starcoin, and 0L. The vulnerability allowed attackers to bypass locals safety and reference verifier a critical control ensuring flash loans are paid back.
Ethereum network patched a responsibly disclosed vulnerability which could trick a node into syncing with a malicious chain called SNaP Attack by its creators.
Stride chain patched a vulnerability in how it interacted with untrusted IBC packets which could allow funds theft. The vulnerability was responsibly disclosed by Jump security researcher Neeraja Jayakumar.
Critical vulnerabilities reported in Morpho Labs and a minor in AAVEv3 by StErMi.
Kucoin patched an information leak vulnerability in their Zendesk API which included PII, session tokens, and other critical data thanks to a responsible disclosure by Corben. Kucoin paid a $5k bounty for this which sets their value for their users’ data.
EOS patched a critical vulnerability in EOS EVM which could allow draining of the the EOS EVM contract.
Yield Protocol disabled the protocol following a responsible disclosure of a vulnerability in their strategy contracts.
Enzyme Finance patched a privilege check vulnerability thanks to a responsible disclosure by rootrescue.
Case study: fake hardware cryptowallet by Kaspersky dissects a sample backdoored Trezor Model T.
Optimizing a 51% Attack with Justin Drake.
All about Smart Contract & DApp Auditing with Oliver (Zellic).
How to not get hacked and other security lessons learned with Riyaz Faizullabhoy and Nass Eddequiouaq (a16z).
Smart Contract Auditing with 0xWeiss.
yAcademy Block V Speakers:
6 security sins of Web3 bridges by Damian Rusinek.
Market Manipulation vs. Oracle Exploits by Chainlink.
How To Find XSS Vulnerabilities In NFT Marketplaces by Immunefi.
The Notorious B.U.G. 👑 Digests January - March 2023 by OpenZeppelin.
Velas Infinite Mint PoC by Oren Yomtov.
Smart Contracts Audits Checklist by tamjid0x01.
Exploring Solodit — The Smart Contract Auditor Swiss Army Knife by Johnny Time.
Smart Contract Security by Jeffrey Scholz (RareSkills).
List of Hardware Wallet Hacks by TheCharlatan.
Uniswap Governance Seatbelt tools that make on-chain governance safer, including automated scripts that apply checks to live proposals to allow for better informed voting.
Pyrometer Beta Release a tool to assist in verifying Solidity functions do what the developer thinks they do.
Sourcegraph Smart Contract Sanctuary by tincho.
Ziion 23.2 Release by Halborn.
Echidna 2.2.0 Release by Crytic.
Solodit smart contract audit report repository.
Contract Diff Tool by x48115.
Online ABI Encoder by HashEx.
Function Selector Miner by Kaden Zipfel.
Solidity Sandbox by maurelian.