BlockThreat - Week 32, 2022
Tornado | Curve | Acala | RenBridge | VileRAT
Cryptocurrency projects faced challenges and attacks for more than a decade now. From consensus attacks and exchange compromises common in the past years to more recent smart contract exploits and scam campaigns, it forced the field to evolve, become more resilient and knowledgeable about the threats. This week highlighted two of those persistent threats.
The Curve frontend compromise reminded us about the traditional web2 infrastructure dependencies with their own set of threats such as DNS and BGP hijacking, website compromises, and others. Incidents like these should incentivize DeFi projects to seek more resilient and decentralized platforms such as IPFS and ENS and to reduce their reliance on centralized infrastructure.
U.S. and Dutch governments’ sanctions and criminal enforcement actions against the Tornado Cash and its developers exposed a regulatory threat. The broad language used to justify the arrest of a developer is concerning as it may push future projects to work anonymously lowering trust, increasing scams, and limiting security practices. Sanctions action was a partially successful attempt to exert centralized control on the system specifically designed to resist it. It worked well against law abiding citizens as well as centralized and previously thought decentralized entities legally compelled to enforce the ban on their centralized infrastructure. Decentralized infrastructure such as all of the Tornado Cash contracts continue operating and sometimes used by the bad guys as before.
Similar fights for the right to privacy were fought constantly since the dawn of personal computing. From the fight for strong encryption in the 70s and 80s, email privacy in the 90s, phone privacy in 2010s and now financial privacy in 2020s benefits to the society are weighed against the needs of law enforcement and security agencies. I’m optimistic that the trajectory of prioritizing personal privacy and not crippling the entire industry for the sake of catching a few bad apples will continue. However, it will likely take a fight and a new chapter in the Crypto Wars.
Cybersecurity Threats Against the Internet of Experiences by TrendMicro.
Cross-chain Crime: More Than Half a Billion Dollars has Been Laundered Through a Cross-chain Bridge report by Elliptic focuses on the illicit use of RenBridge for money laundering.
Only 10% of assets received by Tornado Cash were stolen with the majority coming from DeFi and CEX projects according to Chainalysis.
What is and what is not a sanctionable entity in the Tornado Cash case analysis by Coin Center points to OFAC exceeding its authority.
Scammers In Paris investigation by ZachBXT.
OTC scam using Discord to impersonate accounts.
The plague of NFT Discord server compromises continues with OKHotshot counting 101 hacks in July, 2022 alone.
On August 4, 2022 A malicious insider stole $350K from Velodrome Finance.
On August 13, 2022 a misconfiguration on Acala network resulted in $1.3B aUSD getting minted.
Yield Protocol patched a funds theft vulnerability in a new YieldSpace pool.
dYdX patched a free gas vulnerability after it was responsibly disclosed by hacxyk.
OpenZeppelin fixed a ECDSA signature malleability bug.
Sai patched a griefing vulnerability thanks to a report by Sai.
Auditing Crypto Wallets by Kristov Atlas.
Saving Bitcoin Private Keys from Courts by Christopher Allen.
A Treatise on Bitcoin Seed Backup Device Design by Jameson Lopp.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.