BlockThreat - Week 4, 2022
Qubit | Rari | OpenSea | Sandbox
Not a week goes by without a blockchain bridge hack. QuadrigaCX manages to stay in the news with one of its co-founders starting a DeFi project. Sandbox LAND really scrambled to patch an arbitrary burn function. In other news, be sure to check out Joe Grand’s fun $2M Trezor wallet hack and plenty of other excellent research papers below.
Crime
Europol published a report on Cryptocurrencies: tracing the evolution of criminal finances.
Scams
DeFi protocol Wonderland is allegedly run by QuadrigaCX co-founder by The Block.
DeFi Takes on Bigger Role in Money Laundering But Small Group of Centralized Services Still Dominate by Chainalysis.
Cyber vigilante hunts down DeFi scammers running away with $25M rug pull by CoinDesk.
Diving Into the Dangers of Discord (and How to Avoid Risk) by Jordan Spence (MyCrypto).
More Than 80% of NFTs Created for Free on OpenSea Are Fraud or Spam.
Hacks
On January 24, 2022 multiple OpenSea users reported unexpected sales of their NFTs at significantly lower prices after a bug in OpenSea’s UI did not fully invalidate previous on-chain offers.
On January 26, 2022 Index Coop Rari Pool #19 was targeted with an oracle price manipulation attack only to be saved by a friendly arbitrage bot.
On January 27, 2022 Qubit Finance lost $80M after an unlimited mint vulnerability was exploited on its cross-chain bridge.
Vulnerabilities
ZORA patched a race condition vulnerability in its NFT market contract thanks to a responsible disclosure by the 0x Protocol team.
Cronos patched a vulnerability that could be used to steal gas fees in a block thanks to a responsible disclosure by zb3 using the Immunefi platform.
Sandbox LAND migrated its contracts to set proper permissions on its exposed burn function.
Research
Phantom Functions and the Billion-Dollar No-op by Yannis Smaragdakis.
On How Zero-Knowledge Proof Blockchain Mixers Improve, and Worsen User Privacy.
Discussion on the extractable value of miners (MEV) by Knownsec.
Building an EVM from scratch - part 1 by karmacoma.eth.
Ethereum SCV List by sirhashalot categorizes recent DeFi exploits.
An Ultimate NFT Security Collection by Cia Officer.
Review of Tools for Analyzing Security Vulnerabilities in Ethereum based Smart Contracts.
Ethereum single use address hack by Ernesto.
Ethereum minimal constructor bytecode by Anton Bukov.
Media
How I hacked a hardware crypto wallet and recovered $2 million with Joe Grand.
Fuzzing Ethereum Smart Contract using Echidna - Blockchain Security #1 by Patrick Ventuzelo (Fuzzing Labs).
Ethereum Smart Contract Analysis & Solidity Audit using Mythril - Blockchain Security #2 by Patrick Ventuzelo (Fuzzing Labs).