Security Pills - Issue 28
Entering The Dark Forest, EVM Contract Construction, Turning Google Smart Speakers into Wiretaps for $100k
Release Date: 2nd January 2023 | Issue: 28 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
SponsorWould you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on appsec, mobile and smart-contracts while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Hey everyone and Happy New Year! 🎊I hope your week has been going well so far.We have some interesting articles to share with you this week, including a report on the latest techniques being used in rug pulls, a look at using a Zero-Trust approach to prevent web3 attacks, and an in-depth examination of MEV bots and how to build your own, among others.Also, Rubic Exchange suffered an exploit on the 25th which led to the loss of more than $1.4 Million in user funds and a flash loan attack affected Nimbus DAO, causing $76.000 dollars to be stolen by the attackers.These and more news can be found on today's issue, enjoy it!
Articles: Solidus Labs 2022 Rug Pull Report, Comprehensive List of Common Crypto Scams, The Case for an On-Chain Risk Oracle, A Case for On-Chain Zero Trust, Highly Regrettable Trading Strategy, How Forta's Predictive ML Models Detect Attacks Before Exploitation, EVM Contract Construction, Entering the Dark Forest, Reverse Engineering Rustlang Binaries.
Vulnerabilities & Bug Bounties: Turning Google Smart Speakers Into Wiretaps for $100k, How Was MEW (MyEtherWallet) DNS Spoofed?, Nimbus DAO Hack - Oracle Price Manipulation Bug, Decoding Rubic Exchange Exploit.
Videos: Initiation to Audits, Interesting High-Risk Findings, Computer Networking (DeepDive).
Podcasts: Darknet Diaries: Welcome to Video.
Repositories: tree-sitter-cairo, QuillCTF Web3 CTF, smart-contract-auditing-heuristics
Books: Proofs, Arguments, and Zero-Knowledge; Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.
Tags used in this issue: #appsec, #blockchain, #evm, #mev, #reverse-engineering, #smart-contract.
Solidus Labs 2022 Rug Pull Report #blockchainReport prepared by Solidus which provides an insight on crypto and DeFi scams that occurred during 2022.
Comprehensive List of Common Crypto Scams #blockchainList of crypto scams collected by Mal Plankton and best practices to avoid them.
The Case for an On-Chain Risk Oracle #blockchainArticle from B.protocol on an on-chain risk oracle, which could provide objective pieces of information in a transparent and decentralized manner. The article details what a Risk Oracle is, why it is important for DeFi to have an on-chain risk feed, and how it has been designed.
A Case for On-Chain Zero Trust #blockchainIn Web3, attacks usually follow a four stages pattern: Funding, Preparation, Exploitation and Money Laundering. Identifying attacks in the preparation can effectively mitigate an attack, but this approach only works when the attack behavior stays consistent, and patterns can detected. However, this approach does not work once attack behavior changes.This article explores how Zero Trust can augment traditional security approaches of identifying malicious behavior and attacks by identifying specified good behavior.
Highly Regrettable Trading Strategy #blockchainAvraham Eisenberg, the market manipulator behind the $115M Mango Markets case, has been arrested in Puerto Rico. Rekt has authored this article where they dive deep into the charges that Eisenberg is facing and his terrible OPSEC.
How Forta's Predictive ML Models Detect Attacks Before Exploitation #blockchainArticle from Mariko (machine learning engineer at OpenZeppelin) that dives deep into a ML based Forta detection bot that was able to detect over 4 recent hacks before they occurred.
EVM Contract Construction #evmArticle that explores how smart contracts are deployed on-chain and the subtleties related to EVM execution of contract creation code.
Entering The Dark Forest #mevThis article shares some insight into the difficult field of on-chain MEV bots and what do you need to start building your own.
Reverse Engineering Rustlang Binaries #reverse-engineeringA research in five parts done by Siddharth Mishra on reversing different rustlang binaries and understanding their inner working.
Turning Google Smart Speakers into Wiretaps for $100k #appsecA vulnerability in the Google Home Smart Speaker which may allowed attackers within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely, access its microphone feed and make arbitrary HTTP requests within the victim's LAN.
How Was MEW (MyEtherWallet) DNS Spoofed? #blockchainOn April 24, 2018, the DNS registration servers of MEW (MyEtherWallet) were compromised by third-party actors, in which hackers got away with over $152,000 worth of Ether.
Nimbus DAO Hack - Oracle Price Manipulation Bug #smart-contractA flash loan attack that occurred on December 14, 2022, which allowed attackers to steal 278 BNB worth around $76,000 from Nimbus DAO.
Decoding Rubic Exchange Exploit #smart-contractOn the 25th of December, 2022, Rubic Exchange suffered an exploit that led to the loss of more than $1.4 Million in users funds. Routing contracts were compromised which allowed the exploiter to steal the amount from the user's wallet who approved the router. Immediately after the hack, Rubic paused the execution of the contracts.
🙏 Support us
Joran Honig - Initiation to Audits — Joran touches on different approaches, principles, strategies, and forming mental models for a successful audit.
Gerard Persoon - Interesting High-Risk Findings — Gerard Persoon goes over a collection of interesting high-risk findings, along with tips you can apply on your own audits.
Darknet Diaries Ep. 131: Welcome to Video — Andy Greenberg on a story of how criminal investigators used bitcoin tracing techniques to try to find out who was at the center of a child abuse darkweb website.
JoranHonig/tree-sitter-cairo — A tree-sitter-grammar for cairo 1.0 designed to enable metaprogramming.
QuillCTF: Unlock your web3 security skills — web3 CTF in which you must hack Ethereum smart contracts to learn about security. The challenges contain several of the most common vulnerabilities, including reentrancy, integer overflows/underflows, predictable randomness and much more.
OpenCoreCH/smart-contract-auditing-heuristics — Repository that contains heuristics that can be used when auditing smart contracts to get ideas for vulnerabilities/common pitfalls.
Proofs, Arguments, and Zero-Knowledge — Book authored by Justin Thaler on SNARK design approaches.
Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency — Over the last decade, a single innovation has massively fueled digital black markets: cryptocurrency. Crime lords inhabiting lawless corners of the internet have operated more freely—whether in drug dealing, money laundering, or human trafficking—than their analog counterparts could have ever dreamed of.
📧 Wrapping up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.