BlockThreat - Week 23, 2022
Elrond | Wintermute | Osmosis | ApolloX | Gym | Do Kwon
Unfortunately peace and quiet did not last long. More than $150M were stolen from various projects this week including a really rare virtual machine exploit in Elrond that was used to steal $113M from Maiar DEX. Many of these exploits should not have happened at all like Wintermute’s wallet hijacking caused by the team forgetting to deploy a contract or a critical Osmosis vulnerability simply posted on Reddit for all to see and exploit. Luckily a good portion of stolen assets from these and other hacks was recovered, but luck is not a very reliable security control.
In this week’s news we have witness the first of a kind restraining order served via NFT, Reuters published a damning article about Binance, while Do Kwon appears to have liquidated billions in assets prior to Luna’s crash.
As we get deeper into the bear market, security often suffers as projects take shortcuts to survive by foregoing audits, taking on more risks or just becoming complacent. Unfortunately this will only accelerate their demise while adding to the already insane $1.8B in losses this year. Stay resilient and stay safe!
How crypto giant Binance became a hub for hackers, fraudsters and drug traffickers report alleges laundering of $2.35B in illicit funds to which Binance responded with a blog post detailing the exchange with Reuters reporters.
Reports of Do Kwon cashing out $2.7B before the Luna crash.
El Universal twitter account hacked to spread an NFT scam.
On June 5, 2022 Elrond blockchain virtual machine was exploited allowing attackers control over arbitrary contracts. Attackers used the flaw to drain $113M from Maiar DEX which was mostly recovered by the dev team.
On June 6, 2022 ApolloX lost $2.1M as a result of a signature verification vulnerability.
On June 7, 2022 Gym Network lost $2.1M when insufficient function access controls were exploited to create fake deposits.
On June 7, 2022 Equalizer Finance lost $72K in an exploit targeting its flash loan services.
On June 9, 2022 Wintermute lost $27.6M airdropped to them by Optimism by failing to deploy a contract to retrieve those funds. An attacker was able to claim dormant assets by managing to deploy the contract at that address which they controlled. Luckily the attacker returned most of the stolen funds and claimed a bounty.
On June 10, 2022 Treasure Swap lost $1.1M due to a missing k-value check.
OpenSea fixed a critical vulnerability in Wyvern Protocol which could allow theft of WETH from users’ wallets thanks to a bug report by Gus.
Electrum Wallet and its forks fixed a url injection vulnerability which could allow leaking of SMB tokens thanks to a responsible disclosure by Frank Davidson.
Sense Finance patched a critical vulnerability that could allow oracle price manipulation thanks to a responsible disclosure by Violet Vienhage.
Siren Markets patched a block stuffing vulnerability thanks to a report by Joran Honig.
Aurora fixed an infinite spend bug thanks to a responsible disclosure by pwning.eth.
Solana patched an rBPF bug that could have caused a network split after it was responsibly disclosed by the BlockSec team.
More EVM Puzzles Solutions Part 3 by patrickd.