BlockThreat - Week 3, 2022
Crypto.com | Crosswise | Multichain
Blocksec industry continues showing signs of maturity with the launch of DeFi Safety and NFT Security Group organizations to help promote security. Crypto.com suffered an MFA bypass which allowed for multiple account takeovers. Cross-chain protocols continue reporting multi-million losses with billions locked in their contracts. A really neat deanonymization trick was reported using NFTs and common wallet software.
DeFiSafety launched a V2 version of the website featuring security scores for various projects.
OpenSea launched NFT Security Group with a number of industry participants.
Akamai published a detailed report on the recent Amazon crypto scam.
Solana NFT Project Rug Pulls Investors for $1.3M—Despite Civic 'Verification'.
Reports of multiple Youtube accounts compromised to promote a scam.
On January 17, 2022 Crypto.com reported a loss $26M as a result of a flaw in its 2FA system coupled with user account takeovers.
On January 17, 2022 Crosswise Finance lost $879K after an unprotected privileged function was used to completely take over the contract.
On January 18, 2022 Multichain (aka Anyswap), a cross-chain bridge protocol, lost $3M as a result of insufficient checks in its token swapping function.
Critical privacy vulnerability — getting exposed by MetaMask explores user deanonymization using specially crafted NFT tokens.
Front-running attack in DeFi applications – how to deal with it? by Jacob Zmyslowski
Insecura my consensus for the pyrmont network describes a long range attack against Pyrmont, an ETH2 testnet.
Principal Freezing and Ransom Attacks with MasterChefV2 by onewayfunction.
Under-constrained computation, a new kind of bug by Joran Honig.
Dune Analytics tutorial series great for on-chain investigators.
Frontrunning Post EIP-3074 by Ghili.
r2cdev has beta Solidity support for all of your static analysis needs.