Greetings!
Security Alliance announced its latest initiative called White-Hat Safe Harbor Agreement. It’s designed to shield white-hat hackers from legal repercussions when proactively saving assets in the midst of a hack while also establishing a reward. Are we about to witness a new field where independent blockchain monitors compete to identify hacks in progress? The initiative brings the light into the dark forest while helping propel the fields of security monitoring and response by leaps and bounds. Imagine intelligent incident bots competing with bad actors to steal funds milliseconds before their exploits land on-chain, hampering attackers’ ability to move and swap funds through automated blocklists, deploying countermeasures to hack back attacker contracts to claw back funds. All of these defensive mechanisms already exist in some form, but could be pushed even further with the right incentives. Kudos, samczsun!
FixedFloat experienced a massive $26m hot wallet compromise across bitcoin and ethereum networks. Attackers took their time to deposit stolen assets to HitBTC and eXch exchanges for days following the hack. The latter is becoming popular among recent compromises. Continuing the trend of hot wallet compromises, Duelbits also suffered a $4.6m loss this week.
A single actor has been attacking Miner, Azuma, Dawn and other projects which implemented the new ERC-404 token standard. Below is a vulnerable code snippet used for token transfers:
function _update(address from, address to, uint256 value, bool mint) internal virtual {
uint256 fromBalance = _balances[from];
uint256 toBalance = _balances[to];
[.. snip ..]
_balances[from] = fromBalance - value;
_balances[to] = toBalance + value; // VULN
}
The from and to balances are cached prior to updating the value in fromBalance and toBalance variables respectively. The logic almost follows OpenZeppelin’s ERC-20 implementation except for the addition of the toBalance variable. Imagine if both from and to addresses are the same, then the toBalance will contain address balance prior to subtraction. When we perform the addition the amount will be credited to the address without first subtracting the value. None of the vulnerable contracts checked that from and to addresses are unique which allowed bad actors to effectively double their balances. Really bad!
In addition to compromises mentioned above, premium section includes details on a total of 11 incidents this week including Game, Particle, Dualpools, Loogn, xPet, and others which resulted in the theft of $31.7M+.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Node vulnerabilities are rare, but can be really devastating. Be sure to check out Felix Wilhelm’s write up on the Ethereum Log Confusion bug in Polygon’s Heimdall in the Research section. This could have been really bad!
In other news Elizabeth Warren went all in on Bitcoin and honored Satoshi Nakamoto. Just kidding, a group of pranksters was just having fun with the automated Capitol Flag Program.
This edition also features an extraordinary amount of fantastic research, new tools, latest phishing techniques, and other happenings in the blockchain security ecosystem so I don’t feel as bad about releasing this a few days late. Enjoy :-)