BlockThreat - Week 32, 2022
Tornado | Curve | Acala | RenBridge | VileRAT
Cryptocurrency projects faced challenges and attacks for more than a decade now. From consensus attacks and exchange compromises common in the past years to more recent smart contract exploits and scam campaigns, it forced the field to evolve, become more resilient and knowledgeable about the threats. This week highlighted two of those persistent threats.
The Curve frontend compromise reminded us about the traditional web2 infrastructure dependencies with their own set of threats such as DNS and BGP hijacking, website compromises, and others. Incidents like these should incentivize DeFi projects to seek more resilient and decentralized platforms such as IPFS and ENS and to reduce their reliance on centralized infrastructure.
U.S. and Dutch governments’ sanctions and criminal enforcement actions against the Tornado Cash and its developers exposed a regulatory threat. The broad language used to justify the arrest of a developer is concerning as it may push future projects to work anonymously lowering trust, increasing scams, and limiting security practices. Sanctions action was a partially successful attempt to exert centralized control on the system specifically designed to resist it. It worked well against law abiding citizens as well as centralized and previously thought decentralized entities legally compelled to enforce the ban on their centralized infrastructure. Decentralized infrastructure such as all of the Tornado Cash contracts continue operating and sometimes used by the bad guys as before.
Similar fights for the right to privacy were fought constantly since the dawn of personal computing. From the fight for strong encryption in the 70s and 80s, email privacy in the 90s, phone privacy in 2010s and now financial privacy in 2020s benefits to the society are weighed against the needs of law enforcement and security agencies. I’m optimistic that the trajectory of prioritizing personal privacy and not crippling the entire industry for the sake of catching a few bad apples will continue. However, it will likely take a fight and a new chapter in the Crypto Wars.
Cybersecurity Threats Against the Internet of Experiences by TrendMicro.
Cross-chain Crime: More Than Half a Billion Dollars has Been Laundered Through a Cross-chain Bridge report by Elliptic focuses on the illicit use of RenBridge for money laundering.
U.S Treasury added Tornado Cash to OFAC sanctions list citing its use by North Korea Lazarus APT to launder stolen assets from multiple heists.
Tornado Cash Github, Infura and Alchemy RPCs, and domains shut down while Circle froze USDC funds.
Arrest of suspected developer of Tornado Cash in Amsterdam later confirmed to be Alexey Pertsev, one of three core developers.
Only 10% of assets received by Tornado Cash were stolen with the majority coming from DeFi and CEX projects according to Chainalysis.
What is and what is not a sanctionable entity in the Tornado Cash case analysis by Coin Center points to OFAC exceeding its authority.
Tornado Cash Sanctions Are Spiraling Into Compliance Nightmares with many addresses banned after getting dusted with TC funds.
Abusing Google Sites and Microsoft Azure for Crypto Phishing by Netskope.
Scammers In Paris investigation by ZachBXT.
OTC scam using Discord to impersonate accounts.
The plague of NFT Discord server compromises continues with OKHotshot counting 101 hacks in July, 2022 alone.
On August 4, 2022 A malicious insider stole $350K from Velodrome Finance.
On August 9, 2022 Curve frontend was hit with a DNS cache poisoning attack redirecting users to a malicious contract which stole $575K.
On August 13, 2022 a misconfiguration on Acala network resulted in $1.3B aUSD getting minted.
Yield Protocol patched a funds theft vulnerability in a new YieldSpace pool.
dYdX patched a free gas vulnerability after it was responsibly disclosed by hacxyk.
OpenZeppelin fixed a ECDSA signature malleability bug.
Sai patched a griefing vulnerability thanks to a report by Sai.
Auditing Crypto Wallets by Kristov Atlas.
TradFi, Meet DeFi: Breaking Down the Economics of DeFi Hacks by Zellic.
Web3 Open-source Tools to Enhance Smart Contract Development Security by SunWeb3Sec.
Saving Bitcoin Private Keys from Courts by Christopher Allen.
A Treatise on Bitcoin Seed Backup Device Design by Jameson Lopp.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.