Greetings!
More than $6.7M were stolen this week across 4 incidents with really unique attack vectors. Let’s explore some of the more interesting exploits.
Blockchain-level exploits are not as rare as they used to be. Only last week we covered the $6.7M Casper Network auth bypass hack. This week the infamous Terra network was exploited to steal $6M from Astroport. What’s unfortunate is the exploit vector was well known and patched since April; however, it got reintroduced in the recent upgrade. Here are a few takeaways from the incident:
Short staffed teams are more likely to take short cuts during code reviews which are deadly in blockchain security.
Cosmos contracts may leak user and compiler information which are great for investigators! Who is Tuan Pa?
Cosmos ecosystem appears to have a high instance of chain vulnerabilities.
The Compound Finance governance attack resembles a corporate hostile takeover more closely than a security exploit. It’s still an interesting case study in properly protecting DeFi governance. Without timelocks and execution delays for governance proposals or a “guardian” role to veto potentially damaging transactions, Compound ecosystem could only watch how just a few active participants (57) were able to pass the transfer of $25M worth of COMP tokens. Check out AAVE’s governance system which integrates a number of security controls to protect against similar scenarios.
The paid version of the newsletter includes detailed indicators and post-mortems for the above incidents as well as bad math exploit in Anzen Finance on Blast, function parameter validation bug on Convergence, and others.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!