Security Pills - Issue 20
The OpenSSL Punycode Vulnerability, Analyzing an MEV Bot's Arbitrage on Ethereum, DAO Voting Vulnerabilities
Release Date: 7th November 2022 | Issue: 20 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
📢 Join Cobalt's Community of Freelance Pentesters Today!Web Socket Vulnerabilities — This blog will help you understand what WebSockets are, how they work, most common security vulnerabilities and how you can avoid them.
Hey there,Hope you all had a great weekend! Looks like October has been a pretty busy month with a total of 25 security incidents causing a monetary loss of $980 millions, that's an increase of near 430% compared to September. We have included some of the most notorious hacks on this week's newsletter, don't wait to get spoiled!Enjoy it!
Articles: Autofixing Code with Semgrep, How to Proxy Xamarin Mobile Apps, Analyzing an MEV Bot's Arbitrage on Ethereum, Ethereum's New 'Staking' Model Does not Make ETH a Security, Front Running and Sandwich Attack Explained, The Beginners Guide to Testnets, Uniswap v3 TWAP Oracles in Proof of Stake, Introduction to ERC Token Standards.
Vulnerabilities & Bug Bounties: Checkmk: Remote Code Execution by Chaining Multiple Bugs, Exploiting Java's XML Signature Verification, The OpenSSL Punycode Vulnerability, Exploiting Static Site Generators: When Static Is Not Actually Static, DAO Voting Vulnerabilities, Altava Bug Report, Reentrancy Attacks on Smart Contracts Distilled, Decoding Skyward Finance Smart Contract Vulnerability, Decoding Team Finance Contract Vulnerability, Decoding Melody Vulnerability, Medjai: Protecting Cairo Code from Bugs, BriveV2 Vulnerability Disclosed.
Videos: LiveOverflow: Server Griefed and New Beginnings, Security in the Web3 Industry, Finding High-Value Vulnerabilities with Program Analysis.
Repositories: Rustle, EkoParty Proof of Hack Challenges, amarma, Medjai
Podcasts: Darknet Diaries: Maddie
Tags used in this issue: #blockchain, #mobile, #sast, #smart-contracts
Analyzing an MEV Bot's Arbitrage on Ethereum #blockchainA technical breakdown on how MEV bot's arbitrage work on Ethereum, using a transaction from June 2022 that involved an arbitrage between different pools across Uniswap V2 and Uniswap V3.
Ethereum's New 'Staking' Model Does not Make ETH a Security #blockchainIn the wake of Ethereum’s transition to a proof-of-stake consensus mechanism, various commentators have suggested that Ethereum’s new staking model could result in its native token Ether being deemed a security under U.S. securities laws. However, Ethereum's adoption of a proof-of-stake consensus mechanism does not make ETH an investment contract.
Front Running and Sandwich Attack Explained #blockchainArticle from QuillAudits explaining how front running and sandwich attack works using practical examples.
The Beginners Guide to Testnets #blockchainBlockchain testnets are essential tools in the development and deployment of decentralized projects and cryptocurrencies. Enabling teams to deploy their protocols in a risk-free environment in which users can provide valuable independent feedback and teams can check to see if their code functions as intended.
This quick guide demystifies testnets and give some insights into why they are so crucial to the success of the blockchain ecosystem.
Uniswap v3 TWAP Oracles in Proof of Stake #blockchainWhen building smart contracts that integrate with DeFi protocols, developers inevitably run into the oracle problem. Uniswap v2 enabled developers to build highly decentralized and manipulation-resistant on-chain price oracles - time-weighted average price (TWAP) oracles - to help solve many of the demands necessary for building robust protocols. Uniswap v3 expanded this with added calculation and gas efficiency of TWAP oracles.
Introduction to ERC Token Standards #blockchainThis article aims to help you understand some of the improvements made to the ERC token standards, as well as the problems the Ethereum community has been working on solving
How to Proxy Xamarin Mobile Apps #mobileXamarin is a cross-platform application building tool for building iOS and Android mobile applications. This platform is becoming more and more common as an app building tool. All apps built in Xamarin by default ignore proxy settings that are set on the mobile device. A critical part of performing any testing on mobile applications is viewing and modifying requests before they reach the server. This article explores a very simple bypass that gets around these proxy settings with few commands.
Autofixing Code with Semgrep #sastNat Mote has written an article explaining why AST-based autofix is better than text-based autofix and how Semgrep implements AST-based autofix to improve correctness.
Checkmk: Remote Code Execution by Chaining Multiple Bugs #appsecCheckmk is a modern IT infrastructure monitoring solution developed in Python and C++. Due to its purpose, Checkmk is a central component usually deployed at a privileged position in a company’s network. This makes it a high-profile target for threat actors.
Architecture of Checkmk
Sonar conducted a research identifying multiple vulnerabilities in Checkmk and its NagVis integration, which can be chained together by an unauthenticated, remote attacker to fully take over the server running a vulnerable version of Checkmk.
Gregor Samsa: Exploiting Java's XML Signature Verification #appsecThis post discusses CVE-2022-34169, an integer truncation bug in the JIT compiler used in a Java's standard library resulting in arbitrary code execution in many Java-based web applications and identity providers that support the SAML single-sign-on standard.
The OpenSSL Punycode Vulnerability (CVE-2022-3602) #appsecOn November 1, 2022, the OpenSSL Project released a security bulletin detailing a vulnerability they deemed high severity. The vulnerability is a memory corruption bug that can be triggered when a vulnerable client or server validates an X.509 certificate. A specially crafted email address abusing non-ASCII codepoints in a client or server certificate could exploit this vulnerability to achieve denial of service (DoS) or remote code execution (RCE).
Exploiting Static Site Generators: When Static Is Not Actually Static #appsecShubham Shah from AssetNote writes in this article a vulnerability found in the Netlify's IPX library which ended up in a permanent cross-site scripting across hundreds of thousands of Netlify websites that were using Next.js.
DAO Voting Vulnerabilities #blockchainA decentralized autonomous organization (DAO) operates in a blockchain and is governed by voting. Coin voting is the most popular one: a member of a DAO makes a proposal and other coin holders cast their approval with tokens. When the proposal's quorum is reached its script can be executed. This article examines technical vulnerabilities that may arise in coin voting.
Altava Bug Report #smart-contractsRiley Holterhus (@rileyholterhus) writes about a vulnerability in the merkle distribution algorithm implemented by the ALTAVA team which could have costed them $300,000 at the time.
Reentrancy Attacks on Smart Contracts Distilled #smart-contracts@officer_cia continues with his series of educational articles, writing this time an article about reentrancy attack -- one of the attacks that used to be very common in Web3 smart contracts based projects, but has recently been relegated to the background.
Decoding Skyward Finance Smart Contract Vulnerability #smart-contractsOn November 02, 2022, Skyward Finance experienced a vulnerability exploit and lost over 1.08 million $NEAR tokens worth approximately $3.2 million. The vulnerability was caused by a lack of check and parameter validation in one of the smart contract's functions.
Decoding Team Finance Contract Vulnerability #smart-contractsOn October 27, 2022, Team Finance was exploited for approximately $14.5 million worth of tokens. The root cause of this vulnerability was a lack of proper validation in the contract's function, which resulted in the addition of a fake token to the contract, used then as a parameter to migrate the tokens from the pool.
Decoding Melody Vulnerability #smart-contractsOn October 25, 2022, Melody was hacked due to a vulnerability that allowed the application's token address to be compromised, resulting in the loss of approximately 2225 $BNB tokens.
Medjai: Protecting Cairo code from Bugs #smart-contractsMedjai is a symbolic execution tool for finding bugs in Cairo programs. This article provides a quick overview on the programming language and use Medjai to uncover an old security issue in the OpenZeppelin _mint function.
BribeV2 Vulnerability Disclosed #smart-contractsDuring a routine check, irregularities were discovered in the amount of SPELL bribes being claimed by some users of the BribeV2 contract. Following analysis, it was determined to be an attacker exploiting a flaw in the way the contract calculates bribe allocations.The attacker was found to have exploited this since September 2021, tricking the contract into awarding them higher allocations than they should deserve for the actual weight they contributed to a gauge.
🙏 Support us
SmartCont 2022 - Security in the Web3 Industry — Verilog Solutions Co-founder and Audit Lead Daniel.T explores how Web3 security works, the challenges of Web3 security compared to Web2, common security attack vectors, and misconceptions about the topic.
blockcsecteam/Rustle — A static analyzer for NEAR smart contract in Rust.
Proof-Of-Hack-Protocol/challenges — This is a simple experiment of the Proof of Hack Protocol. Its a mix between classical blockchain challenges, and new ones.
crytic/amarma — Amarna is a static-analyzer and linter for the Cairo programming language.
Veridise/Medjai — A Symbolic Execution Tool for Cairo.
Darknet Diaries Ep. 127: Maddie — Maddie Stone is a security researcher for Google’s Project Zero. In this episode we hear what it’s like battling zero day vulnerabilities.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.