BlockThreat - Week 5, 2022
Wormhole | KLAYswap | Meter.io | Compound | Mars Stealer
Things are not looking good in DeFi land this week! Two cross chain bridges got hit in a single week! KLAYswap suffered from a surgical BGP hijacking of its 3rd party dependency to replace the smart contract address on the front-end Dapp and steal crypto from site’s visitors. Justin Sun may be at it again with a governance attack on Compound Protocol to force a TUSD vote. Insider threats, careless access controls, reentrancy, and other bugs netted attackers $333M in a single week, that’s more than all of the losses combined in 2020. Let’s learn from these mistakes and make the blockchain security ecosystem stronger.
On February 3, 2022 KLAYswap front-end was attacked using BGP hijacking to redirect token approvals to a malicious address on the Klaytn blockchain. As a result $1.83M were lost.
On February 3, 2022 HypeBears was exploited using a reentrancy vulnerability to mint multiple tokens.
On February 4, 2022 Tecra Coin lost $600K from its Uniswap pool after the arbitrary burn vulnerability was exploited in its contract.
On February 4, 2022 DePo insider stole $1.6M by draining one of the staking rewards wallets.
On February 5, 2022 Meter.io money printing bug was exploited which resulted in the theft of $4.4M.
Solidly Exchange patched a critical NFT double counting vulnerability after it was responsibly disclosed through its bug bounty program.
Yearn patched a price manipulation bug in its USDT strategy thanks to the report to its bug bounty program.
Mars Stealer: Oski refactoring analysis by 3xp0rt reveals new crypto stealing functionality.
A quick reminder of what "shared security" means and why it's so important by Vitalik Buterin.
Sealevel Attacks - Examples of common exploits unique to the Solana programming model and recommended idioms for avoiding these attacks using the Anchor framework.
Mainnet forking with Forge by Sushi.
The Duality of Web3: Privacy vs. Transparency by Shekar Ramaswamy.