BlockThreat - Week 47, 2022
AAVE | Bo Shen | Coinsquare | Infura | Argent
Coinsquare exchange compromises continues the trend of attackers targeting customer PII rather than hot wallets. Avi Eisenberg was at it again trying to short squeeze CRV which left AAVE with a small bad debt position. This week we also witnessed a few smaller <$20K+ DeFi exploits which are interesting to watch for the earliest indicators of bad actors practicing their craft before a larger exploit.
Let’s dive into the news!
On November 19, 2022 Coinsquare Exchange experienced a breach where customer PII including names, wallet addresses, and balances were exposed.
On November 20, 2022 SportsDAO lost $13.6K due to a reward manipulation exploit.
On November 22, 2022 Mango Market attacker CRV price manipulation attempt left AAVE with $1.6M in bad debt but ultimately ended up at a loss. AAVE and Compound implemented defensive measures to prevent similar attacks.
On November 22, 2022 Bo Shen lost $42M from his private wallet likely due to mnemonic phrase theft.
On November 23, 2022 Numbers Protocol lost $13.8K due to mishandling of tokens with a missing permit interface.
Aptos patched an integer overflow vulnerability in Movevm thanks to a responsible disclosure by Numen Cyber Labs.
My Pelerin patched a bridge draining vulnerability thanks to a responsible disclosure by an anonymous whitehat.
Cryptojacking malware soars nearly 4x in Q3 2022 by AtlasVPN.
Lex Fridman Podcast #340 – Chris Tarbell: FBI Agent Who Took Down Silk Road.
Ethereum Engineering Group - Security of Crosschain Transactions and Bridges.
Solana Introductory Security Considerations by Haechi.
Security Guide to Proxies by yAcademy.
Security of Algorithmic Stablecoins by Konstantin Nekrasov.
Access Control Vulnerability in DeFi by QuillAudits.
The Insecure External Calls by TriathonLab.
The Cost of Resilience by Flashbots.
Sample sandwich attack analysis by Spreek.
Etherscan Labels - Scrapes labels from etherscan website and stores into JSON/CSV.
Breadcrumbs Browser Extension - labs and tracks Ethereum addresses.
Helios - a fully trustless, efficient, and portable Ethereum light client written in Rust.
SecureRpc - a bare-metal, fully conformant JSON-RPC/gRPC Infrastructure plane that aims to perform well, resist censorship, preserve privacy, flashbots compatible, and others.
1inch RabbitHole - another private RPC node that avoids public mempool.
Loadbalanceeeer - a local JSON-RPC load-balancer with opt-in anonymizer via Tor.
Bo Shen Attackers
Keep reading with a 7-day free trial