BlockThreat - Week 44, 2021
bZx | Rari | Vesper | Synapse | DarkSide | Squid Game
Welcome to BlockThreat!
This week we are seeing first indications of the North Korean Lazarus APT taking interest in DeFi projects with the $55M compromise of bZx. TWAP price manipulation is a hot new exploit in DeFi space resulting in the compromise of multiple projects. US Government is on the hunt for ransomware actors and anyone supporting them with a recent arrest and a $10M bounty. A rapid increase of social engineering attacks on crypto Discord channels claimed yet another major project, be careful out there! Let’s dive into the news, but first some exciting project news:
Project updates: The newsletter now includes a new paid subscriber section with a growing collection of premium content such as threat indicators for the recent hacks, DeFi exploit PoCs, phishing domains, crypto malware signatures, and others.
I will continue delivering the same free content to help build and secure the blockchain community while providing an added value to professional auditors, blockchain analytics companies, and others who made the leap of making this a full time endeavor.
You can unlock it by upgrading your subscription in your account settings page. Looking forward to your thoughts and suggestions on this new format!
Events
Join Formal Verification in the Ecosystem conference on November 16, 2021 featuring speakers from Certora, Flashbots, Trail of Bits, Consensys, and many others.
Competitions
Damn Vulnerable DeFi wargame just got four new challenges, hardhat updates, and new fun challenges.
Media
Consensys: Securing your Uniswap integration with Scribble by Joran Honig (Consensys)
Secureum SafeCast episode with Dan Guido (Trail of Bits).
News
US DoJ announced a reward of up to $10M for information on the DarkSide ransomware group responsible for the Colonial Pipeline hack.
Denis Dubnikov, a co-founder of Coyote Crypto and EggChange, was arrested in Amsterdam (after previously being detained in Mexico City airport) per extradition request by FBI. The arrest came after a series of cryptocurrency exchange sanctions by U.S. Treasury aiming to dismantle the ransomware and money-laundering industry based out of Russia.
Bloomberg reports on an unusual concentration of sanctioned cryptocurrency exchanges in a single skyscraper in Moscow’s business district. Vostok Tower hosts Suex, EggChange, CashBank, Buy-bitcoin[.]pro, and others.
Zaryn Dentzel, a founder of Tuenti, was tortured by masked assailants for four hours to gain access to his cryptocurrency assets.
Scams
Check Point Research alerts of an ongoing Google Adwords phishing campaign targeting crypto wallet and DeFi users which already resulted in the theft of at least $500K.
TRM Labs reports on an ongoing BitRAT malware phishing campaign targeting Mango Markets NFT users on Discord.
Axe Infinity was targeted by the now familiar Discord social engineering attack tricking channel operators into leaking their auth token through a screen sharing session and advertising a malicious Dapp to steal users’ tokens.
ENS Domains shared an ongoing phishing campaign taking advantage of the recent airdrop.
Vice reports on the sophisticated OTP Bot phishing campaign allowing scammers to target 2FA users of Coinbase, PayPal, and other financial institutions.
Squid Game operators rug pulled the project which cost investors $12M.
Hacks
On October 23, 2021, an attacker exploited a reward calculation logic in Take Profit Finance, a BSC-based DeFi project, to gain $400K.
On October 30, 2021 a vulnerability in the Pixel Vault’s Planet DAO token approval mechanism was exploited to mint tokens by burning PUNKS comic NFTs the attackers did not own.
On October 30, 2021 Chia Network experienced a Denial of Service attack after a single operator flooded the network with small transactions. This resulted in a number of nodes getting overwhelmed and delaying legitimate transactions from reaching the network.
On November 2, 2021, Rari Fuse protocol was exploited with a price manipulation exploit which resulted in the loss of $3M.
On November 3, 2021, Vesper Finance lost $3M in yet another TWAP price manipulation attack.
On November 5, 2021, bZx lost $55M on ETH, Polygon, BSC, and FTM networks after their private keys were compromised in a spear phishing attack by a North Korean actor.
On November 6, 2021, Synapse, a cross-chain protocol, lost $8M due to incorrect price calculation using an external AMM.
Vulnerabilities
Inspex fixed a flaw in its farm smart contract which could have allowed users to claim more assets than expected after a friendly notification from the KillSwitch team.
Research
Bitcoin Mixing: A Survey & Short Guide on How to trace Malicious Transactions by Rakesh Krishnan.
Inside the War Room: How Indexed Finance Traced Its $16M Hacker by Stefan Stankovic (Crypto Briefing).
Become a Dapptools Pilled Chad in 30 minutes or Your Money Back by @transmissions11.
The Web3 Security Revolution by Immunefi.
Preventing Channel Jamming by BitMEX Research.
Premium Content
Indicators
Google Adwords phishing domains:
Indicators:
phanton[.]app
phantonn[.]pw
4vwwwmetamas[.]top
pancociswap[.]fincancos[.pagedemo[.]co
www[.]panacakeswap-finannce[.]com
www[.]poncakeswap-investments[.]com
uniswap-fath[.]techMango Markets fake wallet malware:
Indicators:
MD: 51bf6fe3c0583a43e33ef43c8efe2d320
SHA-1: 091ef6c98197c3e4d5c6feec7a945aae94dee208
SHA-256: 120213353ac7bd835086e081fb85dfa4959f11d20466fd05789ded3bff30bb11Squid Game scammers:
Indicators:
BSC: 0x71D934Aa2119CA3995F702f075d540f7A6b0f728Take Profit Finance exploiter:
Indicators:
BSC: 0x2e5f7ead7e26b40e7be8e1f6bd9675cb9f0dfe77