Security Pills - Issue 15
Prototype Pollution Primer, Ethereum PoS and PoW Security, How to Hack Crypto Exchange Wallets
Release Date: 3rd October 2022 | Issue: 15 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there 👋,How is it going? Hope you had a great weekend! For this week's newsletter we have included two articles providing a thorough overview on 'The Merge' and what changes will bring in terms of security the transition between Proof of Work (PoW) to Proof of Stake (PoS).The cross-chain DEX aggregator Transit Swap has suffered an attack causing a monetary loss of $23 millions and there have been some allegations on the recent attack occurred to the Wintermute project, claiming it could have been an inside job.But I don't want to spoil all the fun to you, so please enjoy this week's newsletter 🚀!
Articles: Introducing ASNMap: Go Tool for Speedy Reconnaissance Using ASN Data, WireSocks for Easy Proxied Routing, Diving Into Electron Web API Permissions, Experiencing the Merge, Ethereum PoS and PoW Security, How to Hack Crypto Exchange Wallets, Our Short Analysis of the Accusation of the Wintermute Project.
Vulnerabilities and Bug Bounties: Prototype Pollution Primer for Pentesters and Programmers, Worldwide Server-Side Cache Poisoning. on All Akamai Edge Nodes, cETH Price Feed Incident: Post-Mortem Governance Process, Gnosis Guild DAO Proposal Attack Analysis, A PoC of the Hundred Finance Heist, Aurora Improper Input Sanitization Bugfix Review, Stealing Gas Tokens from the GSN-Enabled MultiSig, Cross-chain DEX Aggregator Transit Swap Hacked Analysis.
Videos: Smart Contract Security / Solidity Security, SmartCon 2022, Web3 Data Guide, Google CTF Finals 2022, Google Hacking Series: Operation Aurora, Threat Analysis Group, Detection and Response, Red Team.
Repositories: dnsReaper, move-prover-examples, paradigm-ctf-2022, Web3-Graveyard, smart-contract-storage-viewer.
Podcasts: Malicious Life Ep.187: What it's Like to Fight LulzSec, Epicenter Ep. 346: The Evolution of Smart Contract Security.
Tags used in this issue: #appsec, #ctf, #smart-contracts
Introducing ASNMap: Go Tool for Speedy Reconnaissance Using ASN Data #appsecASNmap is a CLI tool written in Golang, and used to query Autonomous System Data. The data is pulled from api.asnmap.sh, which returns data that is parsed from the well-known IPtoASN database.
WireSocks for Easy Proxied Routing #appsecMichael Kruger has built some infrastructure that can be deployed and used to easily tunnel from arbitrary sources over a proxy such as SOCKS, using anything that can run WireGuard. Something convenient in cases where it would be nicer to have a full network route to a target network instead of just having application specific proxy rules.
High level architecture diagram for WireSocks
Diving Into Electron Web API Permissions #appsecWhen a Chrome user opens a site on the Internet that requests a permission, Chrome displays a large prompt in the top left corner. The prompt remains visible on the page until the user interacts with it, reloads the page, or navigates away. The permission prompt has Block and Allow buttons, and an option to close it. On top of this, Chrome 98 displays the full prompt only if the permission was triggered “through a user gesture when interacting with the site itself”. These precautionary measures are the only things preventing a malicious site from using APIs that could affect user privacy or security.
Google Chrome permission prompt
This article from Doyensec explores how Electron implement various permission checks to compare Electron's behavior to that of Chrome and determine how a compromised renderer process may be able to abuse web APIs.
Experiencing the Merge #smart-contractsThe Ethereum Merge took place a couple weeks ago, with the main purpose of moving from the blockchain Proof of Work (PoW), the original block production consensus mechanism, to Proof of Stake (PoS). This article details the reasons and how this merge was produced and what's next for Ethereum.
Ethereum PoS and PoW Security #smart-contractsThe merge to proof-of-stake brings security, sustainability and scalability benefits, but on the other hand the complexity of the client software will grow and so will the protocol's potential attack security. Participating in securing the Ethereum blockchain currently requires running a single piece of software, but after "the merge" it will require three (execution client, consensus client , and the validator). This article from Beosin introduces the consensus-level attacks that may occur after Ethereum Merge.
How to Hack Crypto Exchange Wallets #smart-contractsIn this article, the author details how to spot a vulnerability when transferring funds between spot and futures wallets, by messing with the transfer amount that will incorrectly round the number. By doing this right, you may be able to increase the number of assets without limits draining the funds available.This attack is possible because of the rounding issue. Decimal numbers contain no more than 10 digits. Any number below 0,000000005 is fewer than a minimum requirement. As such, it will be rounded to the nearest available number.
How amounts are rounded
Our Short Analysis of the Accusation of the Wintermute Project #smart-contractsFew days ago James Edwards published an article called Analysis of the Wintermute Hack: An Inside Job, where the author claimed that the recent hack to the Wintermute Project caused by the use of vanity addresses was in reality an inside job. The BlockSec Team seems to do not agree with this as they believe the accusations made by James are not solid as the author has claimed, publishing this short analysis on why they believe it was a real hack. Whatever may have happened here, these two articles are a good exercise to revisit a notorious heist and discover how it was executed.
Worldwide Server-Side Cache Poisoning on All Akamai Edge Nodes #appsecJacopo Tediosi and Francesco Mariani found a HTTP Smuggling Vulnerability after using a special header named 'hop-by-hop':
Attack flow that caused the HTTP smuggling vulnerability
cETH Price Feed Incident: Post-Mortem Governance Process #smart-contractsOpenZeppelin has conducted a post-mortem to provide a summary of the incident that temporarily disrupted the price feed to the Compound V2 ETH market. This incident started with the execution of Proposal 117 2 to upgrade the oracle mechanism and ended with the execution of Proposal 119 2 which resolved the issue by reversing the upgrade.
Gnosis Guild DAO Proposal Attack Analysis #smart-contractsOn the 28th of September, 2022, There was an attack on the Gnosis Guild Reality Module (DAO Module). The main cause of the attack was malicious proposals that the attacker first proposed and then pushed for execution. This article from QuillAudits is a review on how the attack was executed.
A PoC of the Hundred Finance Heist #smart-contractsHundred Finance and Agave, lending protocols on the Gnosis Chain, were hit by reentrancy attacks on March 15 this year. These attacks drained the protocols of all collateral. In this article, Immunefi explores the attack that took place on Hundred Finance, digging deep to find the vulnerability that was exploited, and creating a proof of concept (PoC) to demonstrate how the attack worked.
Aurora Improper Input Sanitization Bugfix Review #smart-contractsOn June 10, an anonymous whitehat submitted a critical improper input sanitization vulnerability to Aurora via Immunefi. This article provides some details on the Aurora Engine and dives into the vulnerability that was reported and how it has been fixed by the Aurora team.
Stealing Gas Tokens from the GSN-Enabled MultiSig #smart-contractsOne of the challenges in the Paradigm CTF was 'electric-sheep', a real contract deployed on the main-net which could be exploited. Although there was no real impact because the contract was abandoned, and the tokens were worthless. This article details the process followed by Beched from Decurity to identify the security vulnerability affecting this contract and successfully exploiting it.
Cross-chain DEX Aggregator Transit Swap Hacked Analysis #smart-contractsOn October 2, 2022, The cross-chain DEX aggregator Transit Swap project was attacked, resulting in unexpected transfers of user assets. This article from the SlowMist security team analyzes the attack which was estimated to have caused a loss of $23 millions.
🙏 Support us
Smart Contract Security / Solidity Security — Peter Robinson gives his perspectives on security, discussing the difference between Ethereum Client, EVM, ABI and Solidity. Top level application security, and solidity security, and also how to change the bytecode of a deployed contract without using proxies. The slides can be found here.
SmartCon 2022 — A central hub for finding all SmartCon 2022 virtual content as it's released, from livestream recordings to keynotes, panels, product demos and more.
Web3 Data Guide: Sudoswap NFT AMM (SQL on Ethereum) — Andrew Hong covers the main protocol interactions (creating a pair, managing liquidity, swapping through pairs) and how to pull and transform data on Ethereum using Dune Analytics, a SQL query and dashboard creation platform. We also use dbt and github to build materialized aggregation tables.
Google CTF Finals 2022 — Google created a Capture the Flag (CTF) contest (Hackceler8) were different teams competed to hack a video-game speed-run.
EP00: Operation Aurora — An inside look at the historic attack where Google’s network was breached by a foreign government trying to access the Gmail accounts of human rights activists. In the wake of the breach, Google revolutionized its approach to security - overhauling everything and developing highly specialized teams of elite experts to stay ahead of the ever-evolving threat landscape.
EP01: Threat Analysis Group — Equipped with custom Google Search algorithms and a digital library of the most malicious exploits, the Threat Analysis Group has helped stop some of the most insidious and consequential threats to Google, its users, and the internet at large. Their deep understanding of attackers helps keep billions of users safe.
EP02: Detection and Response — When Google’s Detection and Response Team discovers an attacker, they have to be swift and precise. In 2021, they identified unusual network activity, dropped in, isolated the attacker, and booted them off the network – extinguishing a digital fire before it could cause any damage.
EP03: Red Team — Go behind the scenes with the Red Team, the elite hackers dedicated to attacking Google’s own network. They sneak into buildings, launch phishing campaigns, and distribute malware across the company. Countless crucial protections have been created in response to the Red Team’s relentless assault on Google’s products.
punk-security/dnsReaper — DNS Reaper is yet another sub-domain takeover tool, but with an emphasis on accuracy, speed and the number of signatures in our arsenal.
Zellic/move-prover-examples — An example-based guide to getting started with the Move prover.
paradigmxyz/paradigm-ctf-2022 — Paradigm CTF is a Web3 focused security competition organized by paradigm. The files for this year CTF have been released, along with the solutions to solve each challenge.
razzor-codes/Web3-Graveyard — A database of past Web3 hacks
tintinweb/smart-contract-storage-viewer — Smart Contract Storage Viewer, DataType Guesser, Toolbox & Transaction Decoder
Malicious Life Ep. 187: What it's Like to Fight LulzSec — The name Lulzsec is probably very familiar to listeners who were around in 2011, when this hacking group was at the peak of its nefarious activity. As their name implies, Lulzsec was known for trolling their victims: their childish behavior might have fooled some people into thinking that Lulzsec was mostly harmless - but as the story you’re about to hear will show, they were anything but.
Epicenter Ep. 346: The Evolution of Smart Contract Security — Interview to Dan Guido from Trail of Bits, where he discusses the unique challenges for security on blockchain and smart contract protocols, smart contract languages and security, working with upgradeable contracts and few other topics.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.