BlockThreat - Week 52, 2023
Orbit | Levana | Telcoin | Catalyx | INSC NFT | Thunder Terminal | Channels Finance
Crypto spring is back. Unfortunately that means exploiters, scammers, and other criminal elements are about to refocus their efforts on the blockchain industry. The number of compromises is starting to really pick up going from just 61 in 2023 ‘Q1 to 104 in 2023 ‘Q4. We are still far behind in total value lost from the same quarter last year ($641M vs. $1.37B), but as asset valuations pick up this number will follow. So let’s see what contributed to the above numbers in the last week of 2023.
The year ended with a massive $81M Orbit Bridge compromise. The exploit involved a private key compromise of one of the validators similar to Harmony Horizon Bridge hack. However, it required an additional validation bypass in the withdrawal function to bypass minimum approval threshold. The compromise makes for an interesting case study on monitoring:
Attacker performed several small test transactions on December 30th and December 31st exploiting the validator bypass vulnerability.
Mass draining started on December 31st and lasted about 18 minutes.
The bridge was deactivated one hour after the last exploit transaction.
Early private key compromise may have been caught with traditional “web2” security controls (e.g. endpoint security, secure storage, logging, etc.).
Early exploitation may have been caught by performing deep analysis on every withdrawal transaction to detect malformed transaction parameters (e.g. threshold validation, signed data verification, etc.).
Mass withdrawals are easy to detect with a token outflow heuristic, which most likely alerted the team and blockchain monitoring vendors.
One hour incident response time is pretty good, but it is insufficient to stop/minimize losses. Automatic circuit breakers are a must.
Attackers like to strike during major holidays, conferences and other events.
The best we can do is take careful notes and continue building a more resilient ecosystem. I hope the above helps.
Speaking of web2 security controls. MongoDB cloud compromise exposed customer names, phone numbers, email addresses, and other customer metadata. According to MongoDB, attackers accessed system logs for at least one customer. The compromise may have contributed to the $250K Thunder Terminal hack which blamed the platform for leaking session tokens leading to a number of unauthorized transfers. The attack has similarities to the JumpCloud incident although bad actors don’t sound North Korean.
PSA: MongoDB customers review and change potentially exposed credentials and session data.
The same week also included a Catalyx hot wallet compromise and a few other avoidable DeFi hacks such as uninitialized contract in Telcoin, price oracle manipulation in Levana and Channels, and a mass NFT theft event in INS NFT. At least we got pretty good at shutting down malicious governance proposals such as the one targeting Annex Finance.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
In other news, SBF will not face the second trial for all of the other shenanigans due to "strong public interest in a prompt resolution". As a member of the public, I am actually interested in just how far campaign fraud went, but it sounds like the government is satisfied with existing convictions.
See you all in the New Year! Let’s dive into the news!
FindAudit was launched by bytes032. It’s a marketplace for Auditors that hate marketing.
How Good are Wallet Security Extensions by Feld (Boring Security).
Compound Labs X account compromised with a link to a drainer.
Proof Of Podcast by Hake - Bytes: Pressure Makes Diamonds.
Proof Of Podcast by Hake - Antonio Viggiano: Teach Me How To Fuzz.
Billion times emptiness by Trail of Bits. On a DoS bugs in common Ethereum ABI libraries including eth_abi, ethabi, alloy-rs, ethereumjs-abi.
Sui Validator node DOS Bugfix ReviewSui Validator node DOS Bugfix Review by Alex Horlan (Hacken Proof).
Cryptographic Asymmetry and How To Shut Down A Cosmos-Ethereum Bridge by Maxwell Dulin (Strikeout) and ging3r.
Awesome Cosmos Security by deliriusz.
Smart Contract Patterns: The Proxy by noxx.
Interview with a KyberSwap Hacker by OfficerCia.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.