BlockThreat - Week 31, 2022
Nomad | ZBExchange | Reaper Farm | deBridge | F2Pool
From DeFi and exchange hacks to wallet key leaks and PII theft it seemed like nothing was safe this week. Every day I was anxiously waiting for yet another major compromise. The Nomad bridge hack was particularly painful as the replayability of the exploit enticed hundreds of copycats to hack away at the treasury. North Korean actors continue their spear phishing campaigns targeting crypto business while a mining pool was caught playing with consensus mechanisms to maximize its profits.
It’s easy to despair when faced with attacks on all sides. However, I invite you to just hang in there, learn the painful lessons from each compromise, and slowly make our ecosystem safer. Because what we are building is worth it.
Vulnerabilities in Cross-chain Bridge Protocols Emerge as Top Security Risk report by Chainlysis.
Fake MEV contract scam campaign on YouTube.
On August 2, 2022 ZBExchange hot wallet was emptied to the effect of $3.6M.
On August 2, 2022 more than 9000+ wallets on Solana network lost $5.9M possibly linked to a data leak vulnerability in Slope Wallet which sent private key data to its Sentry service. It’s still not clear how attackers were able to intercept or obtain that data from Slope’s backend.
On August 4, 2022 deBridge Finance and earlier Woo Network were targeted in a spear phishing attack tied to a North Korean actor.
On August 6, 2022 GenomesDAO insufficient function access control was used to steal $43K.
interBTC Bridge fixed multiple critical funds theft vulnerabilities thanks to a responsibly disclosure by Pwning.eth.
NEAR Protocol patched a data leak vulnerability in their wallet thanks to a responsible disclosure by Hacxyk.
Agave Finance fixed an uninitialized proxy vulnerability after it was responsibly disclosed by Hacxyk.
BlueHat IL 2022 - Tal Be'ery & Shalev Keren - Web3 Security: The Blockchain is Your SIEM. Blockchain is your SIEM!
Uncle Maker: (Time)Stamping Out The Competition in Ethereum and the corresponding white paper both point to F2Pool engaging in this consensus attack to reap greater rewards.
How to change your Black Hats into White Hats by Micah Zoltu.
Dark Side of CREATE2 opcode by Jayakumar.
EVM and ELF in one binary.
Fill out the Job Posting Form to share available positions with thousands of BlockThreat subscribers.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.