BlockThreat - Week 47, 2021
Wanaka | Unlock | Olympus | Ploutoz | Level | dYdX | Wolf | Snowdog
Welcome to BlockThreat!
What a crazy week. Seven different DeFi incidents with more than $13M lost to hacks, samczsun helps rescue another project, $10M+ rugpulls, malware campaigns targeting the crypto ecosystem, all the while multi-million databases of PII continue getting leaked to further fuel the phishing machine. In other news, Kazakhstan’s power grid is in trouble after a rapid increase in crypto mining operations. Let’s dive right in, but first be sure to check out Donjon CTF which is kicking off tonight!
News
Google CAT published a Threat Horizons intelligence report revealing the latest in phishing and other malicious campaigns including increased use of compromised Google Cloud for cryptomining.
GoDaddy reported a breach leaking sFTP credentials, usernames, and passwords for 1.2M WordPress customers. The hack affects a number of hosting resellers such as tsoHost, Media Template, and others.
Safe thieves offered a $500K reward to return a safe with locked cryptocurrency keys.
Challenges
Donjon 2021 CTF starts on November 30th.
The Standoff Digital Art competition involving vulnerable NFT contracts and solutions.
Scams
Phantom Galaxies fell victim to another Discord channel takeover which cost its customers $1.1M lost to a fake airdrop.
SnowdogDAO rugpull netted scammers $10M profit using a buyback scheme and a custom AMM contract. Snowdog developers called it a game theory experiment.
How Cybercriminals Trick You Into Giving Up Your Crypto by Immunefi.
Hacks
On November 11, 2021 Wanaka Farm lost $1m as a result of a race condition with a backend API.
On November 21, 2021 Formation Finance lost $100K as a result of insufficient validation of the fee parameter.
On November 21, 2021 Unlock Protocol lost $9.7M worth of UDT after a private key compromise used on xDAI and Polygon networks.
On November 22, 2021 OlympusDAO lost $1.43M as a result of a vulnerability in its bond contract.
On November 23, 2021 Ploutoz Finance was exploited with an oracle price manipulation exploit which resulted in the theft of $365K worth of tokens.
On November 26, 2021 Lever Network lost $650K due to insufficient checks in liability calculation.
On November 27, 2021 dYdX performed a self hack with the help of samczsun to rescue potentially vulnerable funds.
Vulnerabilities
Enzyme Finance patched a critical price oracle manipulation vulnerability after it was responsibly disclosed by setuid0 using Immunefi platform.
Wolf Game NFT patched reentrancy and weak PRNG vulnerabilities after responsible disclosure by notstoops and analysis from Bernhard Mueller.
Geth published details of the CVE-2021-41173 DoS vulnerability which could crash the node using a specially crafted message.
Malware
Morphisec report on Babadeda malware targeting Crypto, DeFi, and NFT communities primarily through Discord phishing campaigns and typosquatting domains.
Research
Inside the DOJ Crackdown on DarkSide & REvil / Sodinokibi Ransomware Crime Groups by LMG Security.
Ethereum analytics with BigQuery by Nick Johnson.
The Solcurity Standard for smart contract auditing by transmissions11.
Secureum Epoch0 Bootcamp for Smart Contract Auditing mindmap.
Price Manipulation Attacks From First Principles with Tincho.
Storage slot discovery technique by banteg.
Debugging with dapptools and local nodes by Matt Solomon.
Premium Content
Indicators
Wanaka Farm Attacker:
BSC: 0x1f7234eabcb85242f15e3fd8962b70a4caf92b4c
BSC: 0xb23067D4660f0E2de2978dc8Bda1432986709554