BlockThreat - Week 36, 2022
Avalanche | Nereus | New Free DAO | Gera
This week Avalanche patched a couple of critical vulnerabilities that could have been used to steal assets or shut down the whole network. Multiple DeFi projects were also exploited with well known bugs as well as more sophisticated reward vulnerability bugs for a total of $3.3M. Following up on Tornado Cash sanctions multiple companies decided to fight back OFAC’s overreach with well written open letters and law suits. Let’s dive into the news!
$30 Million Seized: How the Cryptocurrency Community Is Making It Difficult for North Korean Hackers To Profit by Chainalysis.
Tornado Cash Updates
Defending Privacy in Crypto by Coinbase.
Base Layer Neutrality by Paradigm.
Immunefi’s Guide to Crypto Phishing Attacks (and the Hackers Who Plot Them).
A number of new phishing campaigns advertising as Ethereum Merge sites, blockchain games, and software betatesters.
Compromised The Sandbox Instragram used to direct users to a phishing site.
On August 22, 2022 Shiba Inu leaked AWS credentials in its public repo.
On September 5, 2022 Zoom Protocol lost $61K as a result of a price oracle manipulation vulnerability.
On September 7, 2022 Nereus Finance lost $371K in a price oracle manipulation attack.
On September 7, 2022 Gera Token reported its private keys were compromised which resulted in $1.48M losses.
On September 8, 2022 New Free DAO reward manipulation exploit resulted in $1.25M in losses.
On September 8, 2022 Ragnarok token lost $42K due to insufficient access controls on the transferOwners function.
On September 8, 2022 Primitive Finance was exploited with a math approximation bug to steal $34K.
On September 9, 2022 Dark Pool on BSC lost $103K due to a bug in reward calculation.
Avalanche patched a critical DoS vulnerability in its node software thanks yo a responsible disclosure by Péter Szilágyi.
Avalanche deprecated Native Asset Calls after Statemind, Abracadabra and Sushi teams reported a function access control vulnerability.
Foundry patched a remote code execution vulnerability in forge thanks to a responsible disclosure by elyx0.eth. Patch now!
Report on a memory overwrite vulnerability in OpenSea’s Wyvern Protocol by the BlockSec team.
Celer Bridge incident analysis by Coinbase Threat Intelligence offers an in depth analysis of the BGP hijacking attack and phishing contracts.
Blue Buttons of Death by Cia Officer and ortomichDev explore approval and permit token stealing methods including PoC code.
Move: An Auditor's Introduction by OtterSec explores Diem’s Move type system and formal verification features.
Hacking my Helium crypto miner by Wesley Neelen.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.