i-degen-banner-image

╠ Listen at idegen.fm ✪ Contact @idegenfm ✪ Show notes wolfdefi.com

You can listen to this episode HERE

Intro

Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.

I, Degen - Episode 18 Summary - October 2nd-14th, 2022

It’s been another big week of hacks in crypto land, and depending on how you keep score, it might be the biggest ever. We saw multiple chains and bridges get hacked, price oracle manipulation, wallet exploits, etc. We look into the Binance bridge attack to Mango Markets, Sovryn, QANplatform, Sybil attacks on XEN, Temple DAO, and more.

mango attack account screen shot

I,Degen - Weekly Crypto, Security, & Other News Headlines of Interest

  1. Bongbong Marcos signs SIM Card Registration Act
  2. Cyber sleuth alleges $160M Wintermute hack was an inside job
  3. Why Celsius Doxxed Hundreds of Thousands of Users
  4. Hustler Casino Live discovers employee stole chips from Robbi after sketchy J4 hand
  5. Hacking Google Mini-series (6 EPs) gives a nice inside look into their security & incident response teams.
  6. Signal is secure, as proven by hackers
  7. Sleuth Discovers Satoshi’s Long-Lost Bitcoin Version 0.1 Codebase, Raw Code Contains Bitcoin Inventor’s Never-Before-Seen Personal Notations
  8. State-run live TV hacked by protesters
  9. @markrussinovich on ETH PoW
  10. Copy/Paste frontrunner bot is not what it seems (shockinly)
  11. “Probably better if we don’t treat random anon tweets like they’re reported facts."--@haydenzadams 12.Update on crypto.com accidentally sending user $10.47MM instead of $100, she’s out on bail awaiting trial
  12. Denver International Airport target in cyber-attack
  13. Tether freezes address with 3.4MM in USDT, bringing total frozen addresses to 215
  14. David Hoffman, Coincenter, and others suing US Treasury Department over TornadoCash sanctions @TrustlessSTate
  15. New York changes gun buyback after seller gets $21,000 for 3D-printed parts
  16. A Quarter of SEC Employees Stock Invested in Firms Lobbying SEC
  17. Rabby Wallet Swap Exploit One Month After Launch @rabby_io

Rabby Wallet exloit tweet image

I,Degen - Weekly Crypto Hacks Deep Dive

1. October 6th - Binance Smart Chain Token Hub hack

BSC Token Hub, the BNB bridge between the old Binance Beacon Chain and BSC, now BNB Chain… was exploited into minting two lots of 1M BNB directly to the hacker’s address. - Rekt.news

In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse - @samczsun Twitter

When the BNB team halted the chain, approximately 90 mins after the second transaction, the hacker lost access to the ~$430M still on their BSC address. The hacker’s addresses were initially funded from ChangeNOW exchange.

2. October 4th, Sovryn Hack

~$1.1M was stolen from Sovryn, a “DeFi” protocol on the “Bitcoin smart contract network”, RSK

An attacker exploited the legacy Lend/Borrow protocol to inappropriately withdraw funds

The exploit manipulated the iToken price through a clever flashswap, loan, and lp combination.

The attacker manipulated iRBTC price so that they could take out much more RBTC than they initially deposited.

The attack was detected by Sovryn devs and the system placed into maintenance mode

Due to the multi-layered security approach taken, devs were able to identify and recover funds as the attacker was attempting to withdraw the funds.

Sovryn spokesperson Edan Yago said this is the first successful exploit against the protocol after two years of operation. He maintained that Sovryn is “one of the most heavily audited Defi systems,” with valuable and active bug bounties.

3. October 3rd, Transit Swap update.

Hacker returned~70%, or 18.9M that they stole from the cross chain DEX after reports that security firms had doxxed hacker IPs. Later in the week, Transit began allowing users to claim stolen funds.

More from coindesk and link to hack breakdown from SlowMist

4. Around 22:00 UTC on October 11th, Mango Markets Get Owned

Solana’s flagship margin trading protocol lost 9 figures to a well-funded market manipulator. The attacker managed to spike the price of Mango Markets’ native token MNGO and drain their lending pools, leaving the protocol with $115M of bad debt. - via rekt.news

  • The team was warned about the potential for such an attack in March of 2022, more than six months ago.
  • The attacker created a proposal to solve the problem they started using their newly acquired fat stack of MNGO tokens dao.mango.markets. As you might expect, the thread has become heated.
  • and now we have a new proposal that has reached quorum

5. TempleDAO, yield-farming decentralized finance (DeFi) protocol, lost over $2.34 million (1830 ETH) to a hack on Oct. 11.

-- 0xfoobar Tweet

TempleDAO exploit results in $2M loss –Cointelegraph

The hack raises questions like, “how much more money is sitting out there easy for the taking?”

6. A security firm claims that Paraswap deployer address was generated by Profanity

  • Paraswap denies claim
  • BlockSecTeam proceeds to generate a TX from the account as proof that the private key has been compromised.
  • Either way, the deployer address has no power on the contract.
  • Curve gets in the mix, as they were also accused, and pushes back:

When will some auditors stop reporting nonissues for hyping themselves?

7. RIP XEN - Someone abused FTX’s withdrawal fee subsidy to mint $70,000 of XEN

h/t -> @vishal4c

The newly launched XEN Crypto is down 39% in the last 24 hours after a user found a way to mint over 100 million tokens on FTX without paying any gas fees.

The attacker deployed a contract to launch the attack on Oct. 10. They then used the FTX exchange hot wallet address to continuously transfers small amounts of ETH to the attack contract. Each transaction creates 1 to 3 subcontracts, and these then perform a mint to claim the XEN tokens. All of these are paid for by the FTX hot wallet address.

The project is also experiencing a Sybil attack, with 80% of participating addresses being Sybil addresses. – Sybil Attack WARNING–XEN Crypto

  • XEN’s massive gas usage has been a large part of higher gas fees and recent gas burn?

8. On the 11th of October, 2022, the quantum-resistant QANplatform suffered a severe blow when the QANX Bridge deployer wallet was compromised.

…it was created using an open source vanity address calculation algorithm called cenut/vanity-eth-gpu which is a derivative of a compromised upstream project called johguse/profanity. - qanplatform medium

QAN faq from hack article

@QANplatform

QANX token collapse after wallet hack

I, Degen - Freestyle Convo

Hunt’s update from Devcon VI

I, Degen - Personal Hack Attempt of the Week

Too many DeFi hacks this week. We’ll pick this up next week 💀

On the show I said I would like to a good site for removing approvals. Use Revoke Cash to remove any old approvals from your accounts.

We do our best to report accurately on the topics we discuss, but we’re not always going to get everything right. Please reach out to us @idegenfm, @WolfDeFi, @Hunthk11 with corrections or comments!