Security Pills - Issue 26
Ethereum Smart Contract Auditor's 2022 Rewind, Decentralized Identity Attack Surface, SushiSwap Kashi Vulnerability Disclosed
Release Date: 19th December 2022 | Issue: 26 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey there 👋, Hope you all had a great weekend!It has been a really quiet week with no major hacks, other than the price oracle manipulation exploit affecting Lodestar Finance. Ventral Digital has prepared a rewind for this 2022 collecting all the major smart contract vulnerabilities and exploits around the Ethereum ecosystem, a totally must-read for this week.But that's not all, this week's newsletter includes really interesting research articles discussing arbitrary messaging bridges and the attack vectors that may affect decentralized identities. Make sure you check them out!Last but not least, I would like to share with you MIke Privette's newsletter, 'Security, Funded'. If you are interested in which companies are getting acquired or funded, I highly recommended checking it out. I've been reading it since we started our very own newsletter and found amazing the work that he puts together every week. You can subscribe here.Enjoy today's newsletter and stay safe out there!
Vulnerabilities & Bug Bounties: I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS, Exploiting API Framework Flexibility, Missing Bricks: Finding Security Holes in LEGO APIs, Unusual cache Poisoning Between Akamai and S3 Buckets, Exploiting OnlyOffice Web Sockets for Unauthenticated Remote Code Execution, Apple XAR Directory Traversal Vulnerability, REKT Lodestar Finance, Analyzing Elastic Swap Hack, Nimbus Platform Flash Loan Attack, Royalty Fee Limit of NFT Marketplace Bypass via EIP-29881, SushiSwap Kashi Vulnerability Disclosed, Message Traps in the Arbitrum Bridge.
Videos: Command-Line-Data-Wrangling by Tomnomnom, The War on Code: Investigating the Tornado Cash Sanctions and the Arrest of Alexey Pertsev, The State of Bridge Security with Immunefi & LI.FI, 12 Days of Dune (Uniswap).
Repositories: j1nuclei, learn-evm-attacks, Blockchain-Security-Audit-List, Security and Privacy.
Podcasts: Darknet Diaries Ep. 130: Jason's Pen Test
Tags used in this issue: #appsec, #amb, #blockchain, #did, #smart-contract
Automating Nuclei with JupiterOne #appsecJupiter One has released j1nuclei, an open-source tool to automate vulnerability scanning. j1nuclei is a Python module that relays information between JupiterOne and Nuclei. It automates the extraction of vulnerability scanning targets, runs Nuclei, and brings back the findings to JupiterOne. The results can later be analyzed using JupiterOne query language (J1QL) or JupiterOne Insights dashboards.
The Secrets of Automation-kings in Bug Bounty #appsecJason Haddix explores in this article how to find 1day web exploits that haven't made their way into scanners yet and how this can be the key to success in the bug bounty industry by using tools like Nuclei and Jaeles.
Navigating Arbitrary Messaging Bridges: A Comparison Framework #ambThis article takes a deep dive into the arbitrary messaging bridge space. LI.FI's goal is to present a comparison framework for analyzing different AMBs so that developers can quickly assess the pros and cons of building a particular AMB.
Celer IM - A Deep Dive #ambThis article explores the design, security, and trust assumptions of Celer IM, an arbitrary messaging bridge (AMB) enabling users and developers to transfer both simple messages and complex data across chains.
The state of cross-chain crime #blockchainDocument from Elliptic countering the new age of crypto crime and money laundering in a cross-chain world.
Illicit and High Risk Crypto Laundered Through DEXs
Securing Move #blockchainArticle by Aptos and OtterSec on how they invest in tools for writing correct smart contracts, as well as the correctness of runtime core components like the Move Virtual Machine, via auditing, bug bounties, fuzzing, and security hardening of the underlying implementation.
Ethereum Smart Contract Auditor's 2022 Rewind #blockchainThis article is the result of reviewing the technical details from many of this year's Smart Contract Vulnerabilities and Exploits in and around the Ethereum ecosystem.
Crossing The Bridge #blockchainThis article dives into the details of what bridges are, how they work, the different types of bridges that exist, and their associated security risks.
Pool based bridge
Sybil Tools Revealing: Good Work Requires Sharp Tools #blockchainWith the rise of Web3, due to its anonymity and transparency, the underground industry quickly set its sights on Web3. According to research by HACK 3D, in the first half of 2022, nearly $2 billion was hacked on Web3. The article from the X-explore team details some of the tools frequently used by Sybil and the outline of the Web3 underground.
Dissecting Ethereum Delegated Staking from a Security Perspective #smart-contractAs the number of platforms offering delegated Ethereum validators as a service grows, so does the interest in evaluating its associated risks. This article aims to help users interested in these services, as well as professionals reviewing or building such platforms.
Decentralized Identity Attack Surface Pt. 2 #didThis is the second part of CyberArk's Decentralized Identity (DID) blog series. This article covers the Sovrin DID implementation, describing what a critical impact issue looks like by reviewing a vulnerability found during CyberArk's research.
I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS #appsecSpaceraccoon on an interesting attack vector that he uncovered while reviewing Zoom's code. The attack surface explores the ClipboardEvent and DataTransfer web APIs and how they are used during drag-and-drop actions.
Exploiting API Framework Flexibility #appsecThe modern frameworks are often very flexible with what they accept and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches.
Missing Bricks: Finding Security Holes in LEGO APIs #appsecSalt looked at LEGO's online services, discovering security issues which could have allowed an attacker to manipulate service users to gain complete control over their accounts, obtain PII and other sensitive data stored internally by the service, and obtain access to internal production data.
Unusual Cache Poisoning Between Akamai and S3 Buckets #appsecTarunkant Gupta presents an unusual technique to perform cache poisoning between Akamai and Amazon S3 buckets.
Exploiting OnlyOfffice Web Sockets for Unauthenticated Remote Code Execution #appsecIain Wallace from Nettitude found a RCE affecting a document storage and sharing solution.
Apple XAR Directory Traversal Vulnerability #appsecA directory traversal vulnerability in XAR that was fixed by Apple in 2019, which could have allowed an attacker to write into arbitrary directories or install malware, letting attackers execute arbitrary code.
REKT Lodestar Finance #blockchainLodestar Finance, a Compound fork on Arbitrum, is the latest victim of the mass market manipulation that has affected both people and protocols across our industry. On Saturday, the price oracle of plvGLP collateral was manipulated, allowing the attacker to drain their lending pools for a profit of ~$6.5M. The incident saw the token LODE dump by ~70% and TVL drop to just $11.
Analyzing Elastic Swap Hack #smart-contract On December 13, 2022, Elastic Swap was exploited due to price manipulation causing a total loss of approximately $854,000.
Nimbus Platform Flash Loan Attack #smart-contractOn December 14, 2022, NimbusPlatform on BSC chain was exploited using flash loan attack, with the attacker profiting 278 BNB, worth approximately $76,000.
Royalty Fee Limit of NFT Marketplace Bypass via EIP-29881 #smart-contractArticle written by Haechi on how a malicious NFT contract can bypass the royalty fee limit in a NFT marketplace.
SushiSwap Kashi Vulnerability Disclosed #smart-contractOn Nov 08, 2022, Blocksec detected that pools built on top of Sushi's official KashiPairMediumRiskV1 contract were getting their funds drained. This article describes the logic bug found which affected SushiSwap.
Message Traps in the Arbitrum Bridge #smart-contractResearch performed by Tincho on how L2-to-L1 messages were passed in Arbitrum and how safe is for all parties involved to operate in the bridge.
🙏 Support us
NahamCon2022EU: Command-Line Data-Wrangling by Tomnomnom — CLI tool that integrates JupiterOne Platform with Nuclei.
The War on Code: Investigating the Tornado Cash Sanctions and the Arrest of Alexey Pertsev — In August, just a few months ago on these very streets in Amsterdam, armed agents from the Fiscal Information and Investigation service (FIOD) suddenly arrested a man by the name of Alexey Pertsev…much to his own surprise. We do not yet know all the details surrounding his arrest, but what we do know is that he was quickly taken by the police and thrown into jail where he remains today–without charges and without having any contact with his wife or friends.
12 Days of Dune (Uniswap) — Become a better wizard in just 12 days, learning from twelve increasingly-difficult queries which cover Uniswap V2.
JupiterOne/j1nuclei — CLI tool that integrates JupiterOne Platform with Nuclei.
coinspect/learn-evm-attacks — A collection of Foundry tests reproducing exploits, bug bounty reports and theoretical vulnerabilities on EVM chains.
0xNazgul/Blockchain-Security-Audit-List — A list of notable blockchain security audit companies.
Security and Privacy — Sov's Compendium is a collection of curated information sauces, research, and valuable tools that might help your journey toward sover
Darknet Diaries Ep. 130: Jason's Pen Test — Jason Haddix, a renowned penetration tester who has made a name for himself by uncovering vulnerabilities in some of the world’s biggest companies. In this episode, Jason shares his funny and enlightening stories about breaking into buildings and computers, and talks about the time he discovered a major security flaw in a popular mobile banking app.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.