BlockThreat - Week 24, 2022
Inverse | FSwap | Solana | OpenSea | Metamask
Dear readers,
Just a couple of exploits this week all using classic price manipulation vectors. What’s more concerning is a recently passed governance vote on the Solana network to essentially seize user’s assets. In the good news department, OpenSea bug bounty program yield two high risk vulnerabilities which were promptly patched. Metamask wallet has been strengthening itself against more traditional web2 vulnerabilities. Oh and be sure to check out the latest Darknet Diaries episode on the NiceHash compromise. Happy father’s day dads, let’s make this world a bit safer for our kiddos!
News
web3rekt database launched keeping track of blockchain incidents and scams dating as far back as 2012.
Cryptocurrency crime and anti-money laundering report by CipherTrace.
Hacks
On June 13, 2022 FSwap lost $390K in a price manipulation attack taking advantage of its fee handling logic.
On June 16, 2022 Inverse Finance lost $1.26M in a price oracle manipulation exploit. Interestingly the exploit TX was almost frontran if not for a boost from an MEV bot.
On June 18, 2022 Tether’s web infrastructure came under DDoS attack following an unsuccessful ransom demand.
Vulnerabilities
OpenSea patched a critical vulnerability which could allow theft of offered WETH from users’ wallets thanks to a responsible disclosure by Gus.
OpenSea patched a vulnerability which could allow sellers to receive payments for Shared Storefront items they did not own. The vulnerability was responsibly disclosed by MevRefund.
Phantom wallet and Metamask patched a vulnerability which could expose secret recovery phrase after it was responsibly disclosed by Halborn.
MetaMask Clickjacking Vulnerability Analysis by SlowMist.
Hertzbleed is a new family of side-channel attacks which may allow attackers to extract cryptographic keys from remote servers.
Contests
Offensive Vyper CTF announcement.
Sol Challenges and Solutions.
Media
Darknet Diaries - EP 119: Hot Wallets on the NiceHash hack by North Korea.
Research
How to Steal User’s Signature in NFT Phishing Attacks by Beosin.
Algorand Rekeying Attacks by Coinspect.
When Invariants Aren’t: DAI’s Certora Surprise by Certora.
A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses.
Detecting Exploits Before Funds Are Lost Using Attack Simulation by Forta.
How One “Crypto Drainer” Template Facilitates Tens Of Millions Of Dollars In Theft by Confiant.
Dual-channel Early Warning Framework for Ethereum Ponzi Schemes.
Tools
Tenderly update brings web3 actions, war room aid kit, sandbox, and other features.
ETHLIFT is a set of CLI tools intended to be use by smart contract developers for general tasks not covered at the moment by other CLI tools.