BlockThreat - Week 46, 2022
GetBlock | DFX | Godwoken | Mina | Oasis
A relatively quiet week after the never ending stream of hacks last month. However, we still witnessed a couple of really rare exploits giving us a taste of what’s to come. A bad actor compromised GetBlock node infrastructure to demand a ransom. Imagine the damage, censorship and arbitrage one could do when taking over a major node provider. Godwoken Chain patched a really rare EVM bug that could have drained the entire chain. It’s been a long time since 51% attacks. The next wave of blockchain level attacks will likely involve EVM or node level exploitation.
I hope you can enjoy this rare week of no major compromises to catch up on the latest in blocksec research and may be even get some rest with your families and friends.
Enjoy the news!
ZK Hack III - Nov 22 - Dec 13, 2022
Unveiling the KYC Actor Industry by CertiK.
Reports of an ongoing crypto and NFT phishing campaign on Ethereum and Solana chains.
Another Airdrop Scam, but with a twist by SlowMist.
On November 10, 2022 DFX Finance lost $4M in a reentrancy exploit.
On November 13, 2022 GetBlock node infrastructure was compromised using a 3rd party dependency.
On November 15, 2022 SheepFarm lost $72K due to a vulnerability in its registration logic.
On November 17, 2022 UEarnPool lost $16K due to a reward manipulation vulnerability.
Oasis fixed a critical vulnerability that could shut down its platform thanks to a responsible disclosure by Or Cyngiser.
Godwoken Chain fixed a critical vulnerability in its EVM interpreter thanks to a responsible disclosure by Yaron Velner.
Mina patched a chain-halting vulnerability thanks to a responsible disclosure b y olgerd_py.
MakerDAO patched an XSS vulnerability in the MIPs Portal thanks to a responsible disclosure.
Building Secure Contract: Learn how to fuzz like a pro is a 6 part series by Trail of Bits.
Formally Verifying The World’s Most Popular Smart Contract by Zellic dives into the WETH protocol using Z3 SMT solver.
You Could Have Found the Nomad Hack by Zellic.
Yield aggregators common pitfalls - Beefy case study by MixBytes.
Deep Dive: Upgradeable Smart Contracts by Aaruni.
Decentralized Identity Attack Surface – Part 1 by CyberArk.
Develop an Ethereum bridge with Rust by Thorrwulf.
Develop an Ethereum oracle with Rust by Thorrwulf.
EVM interpreter in Dafny by ConsenSys.
Solidity Shell by ConsenSys Diligence.
Tornado Withdrawal Analysis by SlowMist.
MegaDock by BlockSec.
MobyMask - an alliance of good-hearted phish, aiming to eliminate phishers.
Crypto and NFT Phishing Campaign
Keep reading with a 7-day free trial