BlockThreat - Week 26, 2022
Gandi | Crema | OpenSea | North Korea | Quixotic
Another week and yet another DNS attack this time tricking Gandi to give up control over domains serving Polygon and Fantom RPC endpoints. Luckily no funds were lost, but the compromise could have been used in combination with social engineering or other attacks to cause much more damage.
It is rare to see Solana hacks, but they seem to be a lot more painful such as the $326M Wormhole or the $50M Cashio compromises. This time Crema Finance almost lost all of $8.8M if not for the trend of hacked projects offering attackers to return stolen assets for a reward and a promise not to pursue criminal charges. Are these post-hack bounties a forcing function for projects to implement legitimate bug bounty programs?
If you are not already cautiously watching your mailbox following Mailchimp and HubSpot compromises you now have one more reason thanks to the recent leak by a Customer.io insider. Unfortunately these leaks will continue to happen leaving us in a perpetual state vigilance.
At last a PSA released by FBI warns of ever more sophisticated attempts of bad actors to gain employment now using deepfakes and stolen identities!
Let’s dive into the news! Oh and be sure to check out the new Job Listings section below for exciting opportunities in blockchain security space.
Paradigm CTF 2022 is scheduled to start on August 20th.
On June 29, 2022 we learned about a malicious insider at Customer[.]io leaked email addresses for registered OpenSea customers.
On June 29, 2022 insufficient function access control was used to steal $115K from MAD token contract.
On June 29, 2022 Quint lost $130K in a reward manipulation exploit. Interestingly developers initially blocked reporters of the compromise.
On July 1, 2022 Quixotic lost $185K after a recently upgraded contract failed to implement sufficient validation of function caller which allowed attackers to force sell fake NFTs. Attackers exchanged and moved stolen assets from Optimism to BSC to take advantage of Tornado Cash.
On July 1, 2022 a social engineering attack on Gandi’s customer service resulted in DNS hijacking of Ankr’s Polygon and Fantom nodes.
On July 3, 2022 Crema Finance initially lost $8.8M due to incorrectly generating rewards that were claimed by an attacker using flash loans. The attacker moved and exchanged stolen SOL to Ethereum network following the hack. Luckily the majority of stolen assets were returned for an $800K reward.
Port Finance fixed a racing condition vulnerability which allowed users to withdraw collateral without fully repaying borrowed funds thanks to a responsible disclosure by nojob.
Hacking a Samsung Galaxy for $6,000,000 in Bitcoin!? by Joe Grand.
DeFi Vulnerability Labs by SunSec.
Rescuing compromised wallets using Flashbots by Santiago Palladino.
The High School Files With t11s by Immunefi.
Fill out the Job Posting Form to share blockchain security opportunities at your company with thousands of BlockThreat subscribers.
Keep reading with a 7-day free trial