You can listen to this episode HERE
Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.
I, Degen - Episode 18 Summary - October 2nd-14th, 2022
It’s been another big week of hacks in crypto land, and depending on how you keep score, it might be the biggest ever. We saw multiple chains and bridges get hacked, price oracle manipulation, wallet exploits, etc. We look into the Binance bridge attack to Mango Markets, Sovryn, QANplatform, Sybil attacks on XEN, Temple DAO, and more.
I,Degen - Weekly Crypto, Security, & Other News Headlines of Interest
- Bongbong Marcos signs SIM Card Registration Act
- Cyber sleuth alleges $160M Wintermute hack was an inside job
- Why Celsius Doxxed Hundreds of Thousands of Users
- Hustler Casino Live discovers employee stole chips from Robbi after sketchy J4 hand
- Hacking Google Mini-series (6 EPs) gives a nice inside look into their security & incident response teams.
- Signal is secure, as proven by hackers
- Sleuth Discovers Satoshi’s Long-Lost Bitcoin Version 0.1 Codebase, Raw Code Contains Bitcoin Inventor’s Never-Before-Seen Personal Notations
- State-run live TV hacked by protesters
- @markrussinovich on ETH PoW
- Copy/Paste frontrunner bot is not what it seems (shockinly)
- “Probably better if we don’t treat random anon tweets like they’re reported facts."[email protected] 12.Update on crypto.com accidentally sending user $10.47MM instead of $100, she’s out on bail awaiting trial
- Denver International Airport target in cyber-attack
- Tether freezes address with 3.4MM in USDT, bringing total frozen addresses to 215
- David Hoffman, Coincenter, and others suing US Treasury Department over TornadoCash sanctions @TrustlessSTate
- New York changes gun buyback after seller gets $21,000 for 3D-printed parts
- A Quarter of SEC Employees Stock Invested in Firms Lobbying SEC
- Rabby Wallet Swap Exploit One Month After Launch @rabby_io
I,Degen - Weekly Crypto Hacks Deep Dive
1. October 6th - Binance Smart Chain Token Hub hack
BSC Token Hub, the BNB bridge between the old Binance Beacon Chain and BSC, now BNB Chain… was exploited into minting two lots of 1M BNB directly to the hacker’s address. - Rekt.news
In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse - @samczsun Twitter
When the BNB team halted the chain, approximately 90 mins after the second transaction, the hacker lost access to the ~$430M still on their BSC address. The hacker’s addresses were initially funded from ChangeNOW exchange.
- BNB Bridge hack ELI5 explained and visualised h/t–>@drdr_zz
- Techcrunch - Binance hit by $100 million blockchain bridge hack
2. October 4th, Sovryn Hack
~$1.1M was stolen from Sovryn, a “DeFi” protocol on the “Bitcoin smart contract network”, RSK
An attacker exploited the legacy Lend/Borrow protocol to inappropriately withdraw funds
The exploit manipulated the iToken price through a clever flashswap, loan, and lp combination.
The attacker manipulated iRBTC price so that they could take out much more RBTC than they initially deposited.
The attack was detected by Sovryn devs and the system placed into maintenance mode
Due to the multi-layered security approach taken, devs were able to identify and recover funds as the attacker was attempting to withdraw the funds.
Sovryn spokesperson Edan Yago said this is the first successful exploit against the protocol after two years of operation. He maintained that Sovryn is “one of the most heavily audited Defi systems,” with valuable and active bug bounties.
- Sovryn Interim Exploit Update - From Sovryn
- Sovryn Hack - From Rekt.news
- Bitcoin Defi Protocol Sovryn Gets Hacked for Over $1 Million - via CryptoPotato
3. October 3rd, Transit Swap update.
Hacker returned~70%, or 18.9M that they stole from the cross chain DEX after reports that security firms had doxxed hacker IPs. Later in the week, Transit began allowing users to claim stolen funds.
4. Around 22:00 UTC on October 11th, Mango Markets Get Owned
Solana’s flagship margin trading protocol lost 9 figures to a well-funded market manipulator. The attacker managed to spike the price of Mango Markets’ native token MNGO and drain their lending pools, leaving the protocol with $115M of bad debt. - via rekt.news
- The team was warned about the potential for such an attack in March of 2022, more than six months ago.
- The attacker created a proposal to solve the problem they started using their newly acquired fat stack of MNGO tokens dao.mango.markets. As you might expect, the thread has become heated.
- and now we have a new proposal that has reached quorum
5. TempleDAO, yield-farming decentralized finance (DeFi) protocol, lost over $2.34 million (1830 ETH) to a hack on Oct. 11.
TempleDAO exploit results in $2M loss –Cointelegraph
The hack raises questions like, “how much more money is sitting out there easy for the taking?”
6. A security firm claims that Paraswap deployer address was generated by Profanity
- Paraswap denies claim
- BlockSecTeam proceeds to generate a TX from the account as proof that the private key has been compromised.
- Either way, the deployer address has no power on the contract.
- Curve gets in the mix, as they were also accused, and pushes back:
When will some auditors stop reporting nonissues for hyping themselves?
h/t -> @vishal4c
The attacker deployed a contract to launch the attack on Oct. 10. They then used the FTX exchange hot wallet address to continuously transfers small amounts of ETH to the attack contract. Each transaction creates 1 to 3 subcontracts, and these then perform a mint to claim the XEN tokens. All of these are paid for by the FTX hot wallet address.
The project is also experiencing a Sybil attack, with 80% of participating addresses being Sybil addresses. – Sybil Attack WARNING–XEN Crypto
- XEN’s massive gas usage has been a large part of higher gas fees and recent gas burn?
8. On the 11th of October, 2022, the quantum-resistant QANplatform suffered a severe blow when the QANX Bridge deployer wallet was compromised.
…it was created using an open source vanity address calculation algorithm called cenut/vanity-eth-gpu which is a derivative of a compromised upstream project called johguse/profanity. - qanplatform medium
I, Degen - Freestyle Convo
Hunt’s update from Devcon VI
I, Degen - Personal Hack Attempt of the Week
Too many DeFi hacks this week. We’ll pick this up next week 💀
On the show I said I would like to a good site for removing approvals. Use Revoke Cash to remove any old approvals from your accounts.
We do our best to report accurately on the topics we discuss, but we’re not always going to get everything right. Please reach out to us @idegenfm, @WolfDeFi, @Hunthk11 with corrections or comments!