Security Pills - Issue 21
Earn $200k by Fuzzing for a Weekend, Decoding brahTOPG Smart Contract Vulnerability, Deribit's $28 Million Hot Wallet Hack
Release Date: 14th November 2022 | Issue: 21 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there,Hope you all had a great weekend! At this point you must be already aware of the drama around FTX and Alameda. Rekt has written an excellent article describing the current situation and how we have arrived to this point. In other news, it is rare to read these days about exchanges getting hacked because their wallets have been compromised, unfortunately that has been the case for Deribit, who got drained $28 USD millions from their hot wallets. No announcement has been made yet, could we be talking of an inside job?Also, DXFinance got hacked through a reentrancy attack using their own flash loan function, causing a total loss of $4 millions. But let's not spoil the party, enjoy today's issue!
Articles: Technical Analysis of Optus API Security Challenge, FTX - Yikes, Fake Airdrops Fake Wallets and Now Fake Exchange Apps, Auditing Projects on the NEAR Blockchain, Earn $200k by Fuzzing for a Weekend, Security Practices in Move Development, Detecting Smart Contract Vulnerabilities with Static Analysis, Cairo Contracts Overview, Exposing Merkle Trees and Cryptographic Proofs, AntFuzzer: A Grey-Box Fuzzing Framework for EOSIO Smart Contracts, Ethereum Merge Scams: How Scammers Took Advantage of The Ethereum Merge to Make Millions, The Unisawp Standard: From Zero to Mastery.
Vulnerabilities & Bug Bounties: Checkmk: Remote Code Execution by Chaining Multiple Bugs, Practical Client Side Path Traversal Attacks, Compromising Plesk via its REST API, Shennina Framework: Automating Host Exploitation with AI, Decoding brahTOPG Smart Contract Vulnerability, Hack Analysis: Cream Finance Oct. 2021, DFX Finance US$4 Million Smart Contract Analysis, Derbit's $28 Million Hot Wallet Hack, SoK: Not Quite Water under the Bridge: Review of Cross-Chain Bridge Hacks.
Videos: DEF CON 30: Exploitation in the Era of Formal Verification, Security Conversations: Robinhood CSO. Caleb Sima on a career in the security trenches, Chainlink Fall 2022 Hackathon, Immunefi Hacker Hangout: Merkle Trees.
Repositories: web3-decoder, katana, torn-detector, shennina, impersonator.
Podcasts: Security Conversations Ep. 88
Tags used in this issue: #appsec, #blockchain, #evm, #smart-contracts
Technical Analysis of Optus API Security Challenge #appsecArticle that summarizes all the submissions to address the three security controls required to solve the Optus API secure programming challenge.
FTX - Yikes #blockchainAt this point you may be already aware of the FTX and Alameda situation, but if not, this article from Rekt provides some highlights on what happened this past week.
Fake Airdrops, Fake Wallets, and Now Fake Exchange Apps #blockchainSlowMist analyzes how scammers are providing modified versions of known exchange applications to steal users their funds.
Ethereum Merge Scams: How Scammers Took Advantage of The Ethereum Merge to Make Millions #blockchainMerge-related scams took in $1.2 million worth of Ether shortly before, during, and after the Merge took place on September 15, and briefly became the dominant scam type in the Ethereum ecosystem. This article from Chainalysis examines this trend more in-depth, and also look at who was most impacted.
Ethereum Scam Revenue
Earn $200k by Fuzzing for a Weekend Pt. 1 | Pt. 2 #evmAddison Crump writes on how applying well-known fuzzing techniques in the Solana rBPF (a Rust virtual machine and JIT compiler for eBPF programs) ended up with a resource exhaustion and a persistent .rodata corruption issues, granting him a total of $200,000 in bounties.
Security Practices in Move Development Pt. 1 #smart-contractsBlocksec has started a new series of articles on the Move programming language to provide secure development practices through examples, explanations and best security practices.
Detecting Smart Contract Vulnerabilities with Static Analysis #smart-contractsVeridise writes on three examples of common smart contract vulnerabilities (Reentrancy, Flash Loan and Arithmetic Over- and Under-flow) and explain how static analysis can help detect them.
Flash Loan process
Cairo Contracts Overview #smart-contractsCairo is a programming language for writing provable programs, where one party can prove to another one that a certain computation has been executed correctly. Cairo contracts are just like Solidity contracts. They are stateful, can be deployed and interacted with, and exist inside blocks chained together. This article from MixBytes provides a deep dive into Cairo Contracts and what security vulnerabilities can be identified in its smart contracts.
The Uniswap Standard, From Zero to Mastery #smart-contractsThe Uniswap protocol was launched on November 2, 2018 to test the effectiveness of Automated Market Makers (AMMs). Since then, hundreds of Decentralized Exchanges (DEXs) have built upon the original founding concepts that made early DEXs so great. The theories that the Uniswap AMM makes use of are found all over the Decentralized Finance (DeFi) ecosystem.
Understanding how tokens are accurately and safely swapped between users is of utmost importance whether you are designing a new DEX, forking an existing one, or learning how to exploit them.
Exposing Merkle Trees and Cryptographic Proofs #smart-contractsIn the smart contract setting, Merkle Trees are commonly used for allow-lists and for providing an additional layer of anonymity. This article from haruxe provides a detailed explanation on how this cryptography-related data structure works by using OpenZeppelin's implementation as an example.
Merkle Tree Diagram
AntFuzzer: A Grey-Box Fuzzing Framework for EOSIO Smart Contracts #smart-contractsIn the past few years, several attacks against the vulnerabilities of EOSIO smart contracts have caused severe financial losses to this prevalent blockchain platform. As a lightweight test-generation approach, grey-box fuzzing can open up the possibility of improving the security of EOSIO smart contracts. However, developing a practical grey-box fuzzer for EOSIO smart contracts from scratch is time-consuming and requires a deep understanding of EOSIO internals. In this work, the authors propose AntFuzzer, the first highly extensible grey-box fuzzing framework for EOSIO smart contracts.
Checkmk: Remote Code Execution by Chaining Multiple Bugs Pt. 2 #appsecThis is the second of three articles in the Checkmk - Remote Code Execution by Chaining Multiple Bugs series. In this article, Sonar Source has a more detailed look at the LQL interface and derive the impact of an attacker's ability to forge arbitrary queries and more.
Exploitation chain to achieve RCE
Practical Client Side Path Traversal Attacks #appsecA writeup by Mr. Medi on how to combine a path traversal attack and an open redirect vulnerability to force the vulnerable application into loading a malicious CSS file and exfiltrate sensitive information from the affected target.
Decoding brahTOPG Smart Contract Vulnerability #smart-contractsOn November 9, 2022, the TopGear vault of Brahma (brahTOPG) project was attacked, in which the hacker was able to steal more than $89,000 USDC.
Hack Analysis: Cream Finance Oct. 2021 #smart-contractsCream Finance experienced a major exploit on October 27, 2021, resulting in a loss of $130m in available liquidity. This article provides an explanation on the vulnerability that affected the protocol and provides a proof of concept to recreate the issue.
DFX Finance US$4 Million Smart Contract Attack Analysis #smart-contractsA reentrancy attack on the DFXFinance which caused the exchange protocol a loss of $4 USD millions.
Funds transferred between accounts
Deribit's $28 Million Hot Wallet Hack Analysis #smart-contractsEarlier in November, the Deribit Exchange was hacked for $28 USD millions. The attacker compromised Deribit's BTC, ETH, and USDC hot wallets (no official announcement has been made by Deribit about how these wallets were compromised) draining all the funds available. Quill Audits provides in this article an analysis on how the attacker moved the funds and how this attack could have been prevented.
SoK: Not Quite Water Under the Bridge: Review of Cross-Chain Bridge Hacks #smart-contractsIn this paper, the authors provide a high level breakdown of components in a bridge and the different processes for some bridge designs. In doing this, the identify risks associated with bridge components, and then analyze past exploits in the blockchain ecosystem that specifically targeted bridges.
🙏 Support us
Security Conversations: Robinhood CSO Caleb Sima on a career in the security trenches — Caleb Sima is a cybersecurity lifer now responsible for security at Robinhood, a mobile stock trading platform. Caleb joins Ryan on the show to discuss the early hacking scene in Atlanta, building SPI Dynamics in a webapp security powerhouse, the evolution of attack surfaces, the CISO's changing priorities, and more.
Chainlink Fall 2022 Hackathon — From the latest Web3 developer tools and frameworks to introductory videos on building DeFi and NFT applications, this Chainlink Fall 2022 Hackathon YouTube playlist is your guide to getting started as a Web3 dev.
nccgroup/web3-decoder — Web3 Decoder is a Burp Suite Extension that allows to decode “web3” JSON-RPC calls that interact with smart contracts in a EVM blockchain.
projectdiscovery/katana — A next-generation crawling and spidering framework.
pcaversaccion/torn-detector — Detect if a contract has been deployed in the latest (or predefined) block from an address that was previously funded through Tornado.Cash.
mazen160/shennina — Automated host exploitation framework using artificial intelligence.
Hephyris/Immuni-4-CREAM — PoC that recreates the CREAM yUSD hack occurred on October 2021.
Impersonator — Impersonate any Ethereum account and login into DApps via WalletConnect.
Security Conversations Ep. 88 — JAG-S on big-game malware hunting and a very mysterious APT.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.