BlockThreat - Week 25, 2022
Horizon | XCarnival | Namecheap | DeFi Saver | Convex | Ribbon
Time and time again decentralized projects are targeted through their web2 infrastructure. Back in May, 2022 a GoDaddy employee was social engineered to take over SpiritSwap and QuickSwap domains. Unsuspecting users approved transfers to malicious contracts advertised on evil clones of the original websites. A similar attack occurred this week where someone took over several crypto-related domains hosted by Namecheap to steal at least $250K from website visitors. However, it wasn’t just the web2 infrastructure that failed here. You see attackers made sure that evil contract addresses match the first few characters of legitimate contract addresses to fool even the most experienced crypto users. Most popular wallet software offers little protection to end users when presenting transactions to sign from yet another compromised website or Discord server. Unfortunately, only a few wallets innovate in this space but I’m curious to try out ZenGo’s new ClearSign feature which is supposed to finally make transactions legible.
It’s been just a few months since the massive Ronin Network bridge hack triggered by multiple private key thefts. The Horizon Bridge hack follows a similar pattern where two private keys were compromised and used to steal $100M worth of tokens. While the investigation is ongoing the target, attack vectors, and subsequent laundering smell a lot like North Korea. The sad part was that the Horizon’s threat model clearly failed when it assumed that 2 keys could never be compromised at the same time. Ronin failed similarly by requiring 5 keys to sign critical transactions but not ensuring all those keys were held by unique entities. So if you are a project using mutlisig make sure you bump up minimum approvals and distribute those keys to unique trusted entities until you grow enough to have full blown governance in place.
Every day is a lesson and an opportunity to grow stronger. I have no doubt the blockchain industry will become more and more secure just by how readily available all those lessons are through published research and an occasional post-mortem report. On this note, let’s dive into the news and be sure to check out awesome work by Trail of Bits and other authors in the research section below.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
The Case of the Missing $46 Million by Ethan Lou for Toronto Life dives into the sim swapping attack by a Toronto teen.
BitMart wins arbitration award over July 2021 hack involving a series of 51% attacks on the BSV chain.
The Future of Financial Crime in the Metaverse report by Elliptic.
Hardware Worth $1.9 Million Stolen in Russia’s Crypto Mining Capital.
Crypto Trading Scheme Lost Investors Millions a fascinating investigative repoy Logically.
Blockchain.com, Luno, and Cardano are the top-most phished crypto projects by AtlasVPN.
An in-depth look into the infrastructure supporting the “fake wallet” phishing industry by SlowMist.
Reports of an ongoing phishing campaign targeting NFT artists using malware SCR executables mimicking PDF files. Curious that attackers padded their malware with junk to exceed VirusTotal’s 650MB limit.
Rogue cryptocurrency billboards go phishing for wallets during NFT NYC conference.
On June 18, 2022 Schnoodle lost $112K in a hack taking advantage incorrect reward calculation.
On June 20, 2022 Whale Loans lost $12K due to incorrectly calculating swap reward amount.
On June 22, 2022 Pandora DAO drained of $128K by manipulating prices.
On June 23, 2022 Harmony’s Horizon Bridge lost almost $100M on Ethereum and BSC blockchains as a result of multiple private key compromises.
On June 24, 2022 Namecheap DNS hijacking campaign used to target users of DeFi Saver, Convex Finance, Ribbon Finance, and Allbridge projects. Attackers attempted to mask fake contacts by generating addresses which partially match legitimate contract addresses. Attackers profited at least $250K from the heist.
On June 25, 2022 Hare Finance lost $15K due to private key compromise.
On June 26, 2022 XCarnival lost $3.8M after an attacker exploited a logic error in the collateral handling mechanism. Negotiations to partially return stolen funds are ongoing.
Alchemix patched a bug in the collateral calculation.
Sense Finance patched a function access control vulnerability thanks to a responsible disclosure by Violet Vienhage.
Bunker Finance patched a function parameter validation vulnerability in its CryptoPunks lending pool thanks to a responsible disclosure by shenwilly.
Chain (XCN) token flash crashed due to a market maker and API error.
CryptoCTF on July 30th, 2022.
Trail of Bits Podcast - Immutable episode on risks of centralization in blockchains
Malicious Life - The “Cypherpunks” Who Invented Private Digital Money.
Design and Implementation of Scribble Language by Dimitar Bounov (Consensys Diligence).
How to Audit a Smart Contract by Patrick Collins.
Are blockchains decentralized? Unintended Centralities in Distributed Ledgers by Trail of Bits.
A Research Into Vulnerabilities in NFT Platforms Part 1 and Part 2 by Beosin.
MetaMask Demonic Vulnerability Analysis by Slowmist.
Fluxture - a lightweight crawler for peer-to-peer networks like Blockchains. It currently supports the latest version of the Bitcoin protocol: 70015.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.