SlowMist Weekly Security Report August 7 to 13

Weekly Recap: Web3 Security Incidents Result in Approximately $122 Million in Losses

According to the data from SlowMist’s Hacked Archive , from August 7th to 13th, 2023, there were seven security incidents involving platforms like Cypher, Steadefi, STA, Blockchain Capital, Earning.Farm, certain MPC wallets, and Fetch.ai. Collectively, these incidents resulted in an estimated loss of $122 million, with the STA scam alone accounting for a staggering $120 million.

Detailed Breakdown:

Cypher: On August 7th, 2023, Cypher, a decentralized exchange based on Solana, tweeted that it had been attacked. The assailant exploited an error related to isolated margin sub-accounts, allowing them to extract more funds than initially deposited. This resulted in a loss exceeding $1 million in assets, including 15,452 SOL and 149,205 USDC, among others. As of August 12th, Cypher announced a bounty program to track the hacker.

Steadefi: On August 8th, automated yield leveraged strategy platform Steadefi announced a security breach on Twitter. An attacker gained control of all the vaults (both lending and strategy) and initiated owner-only actions, jeopardizing user funds. According to MistTrack, Steadefi’s loss amounted to about $1.1 million, with the attacker converting and moving assets across various chains.

STA: On August 8, 2023, legal authorities in the state of Odisha, India, successfully cracked a cryptocurrency Ponzi scheme worth $120 million (10 billion rupees). Two key individuals behind the fraudulent operation have been apprehended. The scam project, named The Solar Techno Alliance (STA), employed terminologies related to green energy and solar technologies. Investigations revealed that, with the help of online members, STA swiftly attracted people to the scheme using various persuasive strategies and promises of profits. Over 10,000 participants from Odisha alone were involved. The probe indicated that STA had not obtained authorization from the Reserve Bank of India, the central bank, or other regulatory bodies to accumulate deposits.

Blockchain Capital: On August 9, 2023, the Twitter account of cryptocurrency venture capital firm, Blockchain Capital, was compromised. Multiple fraudulent tweets promoting a token scam were posted. These deceptive tweets have since been removed, and the account has been restored.

One of the phishing tactics used by the fraudsters was creating a deceptive URL. They added an extra ’n’ to imitate the original site (blockchaincapital), resulting in the fake website address: blockchainncapital. Unsuspecting users were lured into signing malicious transactions on this site, leading to the depletion of their funds. Furthermore, the scammers deactivated the comment section, attempting to prevent warnings from reaching potential victims.

In addition to this “add-a-letter” phishing strategy, there are even more deceptive tactics. As illustrated below:

The difference between the letters “ẹ” and “e” is subtle but significant. This form of phishing exploits the Punycode technique, creating domain names that appear incredibly similar to genuine ones. Such deceptive domains can easily trap many unsuspecting users. It’s vital for users to double-check URLs carefully before clicking to avoid potential asset losses.

Earning.Farm: On August 9, 2023, the DeFi project Earning.Farm suffered a reentrancy attack, resulting in a loss of 286 ETH (equivalent to approximately $530,000). According to an analysis by SlowMist, during withdrawal, the attacker reentered the LP’s transfer function to move LP tokens. This caused the account balance to be less than the previously computed shares value. This triggered the logic to update the shares value, leading to the manipulated LP amount updating to the burning shares value. Consequently, the final amount of LP burned was much less than expected. This allowed users to withdraw additional funds from the pool, which were transferred away from the LP.

MistTrack’s investigation revealed that on July 31, the attacker withdrew 10 ETH from Tornado Cash. Three minutes post this successful withdrawal, they redistributed 5 ETH in 5 separate deposits back into Tornado Cash. As of now, the hacker has moved 292.64 ETH to a new EOA (Externally Owned Account) address (0x21d…173) and has not yet transferred them out.

MPC Wallets: On August 10, 2023, the cryptocurrency infrastructure company Fireblocks revealed a series of vulnerabilities, collectively referred to as “BitForge”, impacting a variety of popular crypto wallets that use Multi-Party Computation (MPC) technology. Fireblocks has classified BitForge as a “0 day” vulnerability. Coinbase, ZenGo, and Binance, the three companies most significantly affected by BitForge, have collaborated with Fireblocks to address and rectify these potential vulnerabilities. Left unchecked, these vulnerabilities could allow attackers and malicious insiders to swiftly drain funds from the wallets of millions of retail and institutional customers, all unbeknownst to the users or the providers.

On the same day, the founder of Binance, CZ, tweeted: “Fireblocks discovered a series of new vulnerabilities impacting MPC wallets that previously existed in Binance’s open-source TSS library. These have since been rectified. User funds remain unaffected.”

Fetch.ai: On August 13th, blockchain-based AI infrastructure Fetch.ai stated that their official Discord channel was compromised via an unauthorized access.

Other: We recently identified a severe vulnerability affecting cryptocurrency wallets that utilize Libbitcoin Explorer version 3.x. This vulnerability allows attackers to access the wallet’s private key by cracking the Mersenne Twister pseudorandom number generator (PRNG). Real-world damages stemming from this flaw have already been reported.

The vulnerability’s root lies in the PRNG implementation in Libbitcoin Explorer 3.x. This implementation employs the Mersenne Twister algorithm and uses only a 32-bit system time as its seed. Such a method allows attackers to brute-force a user’s private key within days. All users who have generated wallets using Libbitcoin Explorer 3.x, as well as applications that employ the libbitcoin-system 3.6 development library, are at risk. Notable cryptocurrencies known to be affected include Bitcoin, Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash, among others. Due to this flaw, attackers can gain access and control over user wallets, thereby stealing the contained funds.

Based on ouranalysis, as of August 2023, over $900,000 worth of cryptocurrency assets have been stolen due to this vulnerability. We strongly urge all users of Libbitcoin Explorer 3.x to cease using affected wallets immediately and transfer their funds to a secure wallet. Please ensure that you employ verified, safe random number generation methods when creating a new wallet.

Summary:

The most significant loss this week was due to the Ponzi scheme — The Solar Techno Alliance (STA). Ponzi schemes promise high returns to attract investments, using new investments to pay off earlier investors, creating an illusion of profitability. Most such schemes lack genuine investment activities, and the bulk of the “returns” end up in the scammer’s pockets. Investors should be cautious of any offering that promises unusually high returns; they’re often too good to be true. Remember, if something seems too good to be true, it probably is. Stay vigilant and enhance your ability to recognize potential risks.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

Website：
https://www.slowmist.com
Twitter：
https://twitter.com/SlowMist_Team
Github：
https://github.com/slowmist/