Hey folks,
Almost $8.5M were stolen this week across 5 incidents with the majority coming from just one supply chain incident on Bittensor network. Let’s take a closer look, but first a quick word from this week’s sponsors - code4rena! They have not only fun, but also impactful contest coming up so be sure to check out the details below:
Are you ready for the most interesting competitive audit of the summer?
Optimism Fault Proofs are ready and will soon be deployed across the Superchain. This is mission critical code that will secure over $15bn in assets.
If you’re interested in learning how fault proofs work and doing your part to secure them, block your calendar for July 15-29.
https://code4rena.com/audits/2024-07-optimism-superchain
A number of Bittensor node operators were compromised after downloading a backdoored package from PyPi in late May. Attackers carefully planned and executed the attack to drain high value wallets in just 9 minutes. Supply chain attacks happen. However, Bittensor’s security team really stood up to the challenge when responding to the incident:
Effective on-chain monitoring. Anomalous transactions detected and war room started within 20 minutes of the attack.
Fast triage. It took the team just 20 minutes to triage the event, determine it’s a real attack, and initiate the incident response process.
Existing incident playbooks. The team knew exactly how to stop the bleeding by putting the chain in the “safe mode”.
Tracking funds. Engaged exchanges to track and freeze stolen funds.
Capable investigators. Successfully narrowed down the victim set and identified the supply chain attack in just a day.
Thorough. Kicked off code reviews of all repos and not rushing the relaunch.
Great communication. Continuous updates on Twitter, Telegram and Discord throughout the incident and in-depth post-mortems available daily.
The above is probably as good of a response as one could hope for. However, in the field where exploits last minutes, human-centric response will often lag behind while automated response is not mature enough to fully trust with major on-chain events.
The other concern one might raise with the incident is the centralized control exercised by the Bittensor team. The same issue is frequently raised around Ethereum L2s and side chains. In fact, only a month earlier Linea halted the chain to respond to the $7M Velocore compromise.
It’s a tricky subject with extreme views on both sides of the argument. Building an emergency lever like Bittensor’s “safe mode” to buy precious time for incident responders could actually raise user trust. Centralization risk could be address by sufficiently distributing who can pull it or even better deployed as an automated circuit breaker when a critical on-chain invariant is broken (e.g. asset supply just doubled through an unauthorized mint).
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!