BlockThreat - Week 32, 2023
Zunami | Cypher | Steadefy | Downfall | Zenbleed | Milksad | BitForge
This week featured two critical vulnerability disclosures in wallet software. A widely used Libbitcoin library used by many OG Bitcoin users was found to have a bad PRNG which was already used to steal at least $900k so far. An MPC wallet protocol vulnerability disclosed by FireBlocks is more difficult to exploit (requires admin access), but just as deadly where a rogue admin account may compromise all wallets.
Moving further down the stack, Intel and AMD CPUs were also found vulnerable to leaking secrets (including private keys and passwords) in cloud environments. And yes this affects Intel SGX environment as well. I would update your threat model regarding key storage on your shared nodes and reach out to your cloud provider to ensure they have applied CPU microcode updates.
Almost $5.5m were stolen from various DeFi projects this week with the usual arsenal of price oracle manipulation (Zunami), reward manipulation (Cypher), reentrancy (Earning Farm), and other attack vectors. The private key theft exploit against Steadefi warrants further study as it involved a sneaky spear phishing attack with a malware payload.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
In other news, the frivolous lawsuit against ZachXBT was dismissed but at what cost? Identity exposed, stress and distraction from catching bad guys while dealing with the legal system. One thing is for sure that the community is ready and able to rally behind security researchers when needed. May be it’s time for a legal defense fund to protect lesser known researchers and investigators?
Let’s dive into the news!
SEAL 911 - emergency contact to be used for responsible disclosure and web3 incident support ran by a group of whitehats including samczsun.
Hackers used fake job interview to trigger $37M CoinsPaid hack. SentinelOne has previously reported on Operation In(ter)ception to target prospective job application in crypto industry.
North Korean hackers stole over $180 million in crypto during H1 2023: report by Timmy Shen (The Block).
0day vulnerabilities in Intel (Downfall) and AMD (Zenbleed) processors allows attackers to steal encryption keys, passwords, and other sensitive data in multi-user and cloud environments. The vulnerability affects Intel SGX environment.
0day vulnerability in a Libbitcoin used in a popular bx tool allowed generation of new wallets with weak entropy. The vulnerability, named Milksad, was already used to drain $900k+ from Bitcoin and Ethereum wallets.
0day vulnerability in 15+ MPC protocols and wallet providers (BitForge) using GG-18, GG-20, and Lindell17 protocols was disclosed by Fireblocks which could allow attackers with privileged access to drain user funds.
Machi Big Brother (Jeff Huang) withdrew defamation suit against @zachxbt after causing an irreparable damage by exposing researcher’s identity and distracting from investigative work to deal with the lawsuit.
Man charged for facilitating Netwalker ransomware that stole 5,000 bitcoin. The arrest come following take down of “bulletproof” hosting provider, Lolek, by Polish and US authorities.
Reports of scammers advertising fake jobs on crypto job boards to steal crypto.
Inferno Drainer upgrade adds new capabilities to steal ETH, ERC20, NFT assets.
Rugpull perpetrated (now former) Uniswap employee to steal 14 ETH.
What Is a Crypto Rug Pull? – DeFi Exploits Explained by De.Fi Security.
Kubernetes Exposed: One Yaml away from Disaster by Aqua. The report discusses a crypto jacking campaign targeting exposed K8 clusters.
Positive Hack Days - 12 - Blockchain Track
Cryptocurrency investigation basics by Igor Bederov.
Unusual vulnerabilities in Ethereum smart contracts: review and elimination, 2022 by Sergey Prilutsky (MixBytes).
Oracle manipulation in Web3 by Anton Nikonov (MetaZK).
MetaTrust Singapore Web3 CTF Security Challenge - September 8 - 10, 2023.
Can you pass the Rekt test? by Trail of Bits.
Attack alerting procedure by BlockSec.
Auditor’s Advice Series by OfficerCia:
Squashing a Pesky Bug in UniswapX by shung (Kebabsec).
DeFi Risk Modelling Awesome by engn33r.
Web2 Bug Repellant Instructions by Caue Obici and Bruno Halltari (OtterSec).
Exotic culinary: Hypernative systems caught a unique Sandwich Attack against Curve Finance by Vazi (Hypernative).
Audit Anomalies Archive by zzzuhaibmohd.
Curve Finance Analysis and Post-mortem by ChainLight.
The Double-Edged Sword of abi.decode by 0xdeadbeef.
Heimdall-rs 0.5.0 by Jon Becker. Now includes a feature to generate detailed bytecode analysis including compiler version detection, 4byte resolution, modifier detection, storage slots, events, errors, etc. Amazing!
Piller by Hexens. A static analysis framework for Polynomial Identity Language (PIL) used in zkEVM for defining state machines.
scure-base by Paul Millr. Audited and 0-dep implementation of bech32, base64, base58, base32 & base16.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.