BlockThreat - Week 51, 2023
OKX | Transit Finance | Pine Protocol | MS Drainer | BlackCat
An interesting case study on vulnerability disclosure. CertiK announced a critical remote code execution vulnerability in OKX iOS Wallet on the same day the patch became available. How long does it take for Apple users to apply a patch? Let’s take Safari browser as an example. Safari 17.2 was released on December 11 which also includes a patch for an arbitrary code execution vulnerability. Weeks later only 1.23% of users installed the update while 39.22% of users continue running Safari 17 from September 18. According to Mandiant, “One Day” exploitation occurs in about 9 days following the patch release and disclosure. Unfortunately, only the most diligent users are likely to install app updates in this timeframe leaving the rest vulnerable.
Unlike smart contracts bugs which can be patched and disclosed quickly, client-side patching requires significantly more finesse when balancing user risk, criticality and likelihood of exploitation. What happened instead is OKX rushing to urge users to install the update following CertiK’s disclosure of the vulnerability a few hours earlier. Announcements were at odds as to whether or not they affect users’ funds further indicating lack of coordination. Kudos to CertiK for finding and reporting the vulnerability. A much better approach would have been to coordinate with OKX to promote the upgrade, watch backend stats for the majority of users to install it as noted by Tay, and then make a joint announcement referencing OKX’s post and not the other way around. What do you think?
Just a couple of DeFi exploits this week for a total of $200,000 with relatively rare exploitation vectors. Transit Finance exploit involved a specially crafted transaction with a forged pool parameter while Pine Protocol suffered from sharing the same pool address. You can find detailed writeups and PoC code in the premium section.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
Hack Hauls Halve From 2022 by TRM.
Scraping Bits by DeGatchi - #35: From Securing Smart Contracts To Optimism's L2 Rollup - Ft. Maurelian
On Decoding Raw EVM Calldata by Jonathan Becker.
Confession about fuzzing by Pavel Kondr (Pessimistic Security).
ZK-SNARKS & The Last Challenge Attack: Mind Your Fiat-Shamir! by OpenZeppelin.
Compound Case Study: How Compound Secures its Protocol and Users by OpenZeppelin.
Post-Mortem Report: Sequencer Downtime and L1 Gas Pricing Issue by Arbitrum Foundation.
Tealer - a static analyzer for Algorand’s Teal code by crytic.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.