Welcome to BlockThreat!

What a crazy week. Seven different DeFi incidents with more than $13M lost to hacks, samczsun helps rescue another project, $10M+ rugpulls, malware campaigns targeting the crypto ecosystem, all the while multi-million databases of PII continue getting leaked to further fuel the phishing machine. In other news, Kazakhstan’s power grid is in trouble after a rapid increase in crypto mining operations. Let’s dive right in, but first be sure to check out Donjon CTF which is kicking off tonight!

News

• Google CAT published a Threat Horizons intelligence report revealing the latest in phishing and other malicious campaigns including increased use of compromised Google Cloud for cryptomining.

• GoDaddy reported a breach leaking sFTP credentials, usernames, and passwords for 1.2M WordPress customers. The hack affects a number of hosting resellers such as tsoHost, Media Template, and others.

• Safe thieves offered a $500K reward to return a safe with locked cryptocurrency keys.

Challenges

• Donjon 2021 CTF starts on November 30th.

• The Standoff Digital Art competition involving vulnerable NFT contracts and solutions.

Scams

• Phantom Galaxies fell victim to another Discord channel takeover which cost its customers $1.1M lost to a fake airdrop.

• SnowdogDAO rugpull netted scammers $10M profit using a buyback scheme and a custom AMM contract. Snowdog developers called it a game theory experiment.

• How Cybercriminals Trick You Into Giving Up Your Crypto by Immunefi.

Hacks

• On November 11, 2021 Wanaka Farm lost $1m as a result of a race condition with a backend API.

• On November 21, 2021 Formation Finance lost $100K as a result of insufficient validation of the fee parameter.

• On November 21, 2021 Unlock Protocol lost $9.7M worth of UDT after a private key compromise used on xDAI and Polygon networks.

• On November 22, 2021 OlympusDAO lost $1.43M as a result of a vulnerability in its bond contract.

• On November 23, 2021 Ploutoz Finance was exploited with an oracle price manipulation exploit which resulted in the theft of $365K worth of tokens.

• On November 26, 2021 Lever Network lost $650K due to insufficient checks in liability calculation.

• On November 27, 2021 dYdX performed a self hack with the help of samczsun to rescue potentially vulnerable funds.

Vulnerabilities

• Enzyme Finance patched a critical price oracle manipulation vulnerability after it was responsibly disclosed by setuid0 using Immunefi platform.

• Wolf Game NFT patched reentrancy and weak PRNG vulnerabilities after responsible disclosure by notstoops and analysis from Bernhard Mueller.

• Geth published details of the CVE-2021-41173 DoS vulnerability which could crash the node using a specially crafted message.

Malware

• Morphisec report on Babadeda malware targeting Crypto, DeFi, and NFT communities primarily through Discord phishing campaigns and typosquatting domains.

Research

• Inside the DOJ Crackdown on DarkSide & REvil / Sodinokibi Ransomware Crime Groups by LMG Security.

• Ethereum analytics with BigQuery by Nick Johnson.

• The Solcurity Standard for smart contract auditing by transmissions11.

• Secureum Epoch0 Bootcamp for Smart Contract Auditing mindmap.

• Price Manipulation Attacks From First Principles with Tincho.

• Understanding Security Issues in the NFT Ecosystem.

• Machine Learning Guided Cross-Contract Fuzzing.

• Storage slot discovery technique by banteg.

• Debugging with dapptools and local nodes by Matt Solomon.

Premium Content

Indicators

Wanaka Farm Attacker:
BSC: 0x1f7234eabcb85242f15e3fd8962b70a4caf92b4c
BSC: 0xb23067D4660f0E2de2978dc8Bda1432986709554