1. Home
  2. Blocksec

Blocksec

Wintermute inside job theory ‘not convincing enough’ —BlockSec

The theory is “not convincing enough to accuse the Wintermute project,” wrote BlockSec, as it highlighted that Wintermute’s actions during the hack made sense given the circumstances.

Blockchain security firm BlockSec has debunked a conspiracy theory alleging the $160 million Wintermute hack was an inside job, noting that the evidence used for allegations is “not convincing enough."

Earlier this week cyber sleuth James Edwards published a report alleging that the Wintermute smart contract exploit was likely conducted by someone with inside knowledge of the firm, questioning activity relating to the compromised smart contract and two stablecoin transactions in particular.

BlockSec has since gone over the claims in a Wednesday post on Medium, suggesting that the “accusation of the Wintermute project is not as solid as the author claimed,” adding in a Tweet:

“Our analysis shows that the report is not convincing enough to accuse the Wintermute project.

In Edward’s original post, he essentially drew attention as to how the hacker was able to enact so much carnage on the exploited Wintermute smart contract that “supposedly had admin access,” despite showing no evidence of having admin capabilities during his analysis.

BlockSec however promptly debunked the claims, as it outlined that “the report just looked up the current state of the account in the mapping variable _setCommonAdmin, however, it is not reasonable because the project may take actions to revoke the admin privilege after knowing the attack.”

It pointed to Etherscan transaction details which showed that Wintermute had removed admin privileges once it became aware of the hack.

BlockSec report: Medium

Edwards also questioned the reasons why Wintermute had $13 million worth of Tether (USDT) transferred from two or their accounts on two different exchanges to their smart contract just two minutes after it was compromised, suggesting it was foul play.

Related: Tribe DAO votes in favor of repaying victims of $80M Rari hack

Addressing this, BlockSec argued that this is not as suspicious as it appears, as the hacker could have been monitoring Wintermute transferring transactions, possibly via bots, to swoop in there.

“However, it is not as plausible as it claimed. The attacker could monitor the activity of the transferring transactions to achieve the goal. It is not quite weird from a technical point of view. For example, there exist some on-chain MEV-bots which continuously monitor the transactions to make profits.”

As previously stated in Cointelegraph’s first article on the matter, Wintermute has strongly refuted Edwards claims, and has asserted that his methodology is full of inaccuracies.

4 more virtual asset trading platforms licensed in Hong Kong

ETHW confirms contract vulnerability exploit, dismisses replay attack claims

The proof-of-work fork of the Ethereum blockchain was targeted by a cross-chain contract exploit.

Post-Ethereum Merge proof-of-work (PoW) chain ETHW has moved to quell claims that it had suffered an on-chain replay attack over the weekend.

Smart contract auditing firm BlockSec flagged what it described as a replay attack that took place on Sept. 16, in which attackers harvested ETHW tokens by replaying the call data of Ethereum’s proof-of-stake (PoS) chain on the forked Ethereum PoW chain.

According to BlockSec, the root cause of the exploit was due to the fact that the Omni cross-chain bridge on the ETHW chain used old chainID and was not correctly verifying the correct chainID of the cross-chain message.

Ethereum’s Mainnet and test networks use two identifiers for different uses, namely, a network ID and a chain ID (chainID). Peer-to-peer messages between nodes make use of network ID, while transaction signatures make use of chainID. EIP-155 introduced chainID as a means to prevent replay attacks between the ETH and Ethereum Classic (ETC) blockchains.

BlockSec was the first analytics service to flag the replay attack and notified ETHW, which in turn quickly rebuffed initial claims that a replay attack had been carried out on-chain. ETHW made attempts to notify Omni Bridge of the exploit at the contract level:

Analysis of the attack revealed that the exploiter started by transferring 200 WETH through the Omni bridge of the Gnosis chain before replaying the same message on the PoW chain, netting an extra 200ETHW. This resulted in the balance of the chain contract deployed on the PoW chain being drained.

Related: Cross-chains in the crosshairs: Hacks call for better defense mechanisms

BlockSec’s analysis of the Omni bridge source code showed that the logic to verify chainID was present, but the verified chainID used in the contract was pulled from a value stored in the storage named unitStorage.

The team explained that this was not the correct chainID collected through the CHAINID opcode, which was proposed by EIP-1344 and exacerbated by the resulting fork after the Ethereum Merge:

“This is probably due to the fact that the code is quite old (using Solidity 0.4.24). The code works fine all the time until the fork of the PoW chain.”

This allowed attackers to harvest ETHW and potentially other tokens owned by the bridge on the PoW chain and go on to trade these on marketplaces listing the relevant tokens. Cointelegraph has reached out BlockSec to ascertain the value extracted during the exploit.

Following Ethereum's successful Merge event which saw the smart contract blockchain transition from PoW to PoS, a group of miners decided to continue the PoW chain through a hard fork. 

4 more virtual asset trading platforms licensed in Hong Kong

How to protect yourself from the recent spate of ‘crypto muggings’

Cointelegraph spoke with security experts who shared tips on how to keep crypto safe after a slew of robberies in the UK successfully stole thousands worth of crypto from everyday holders.

There has been a spate of “crypto muggings” in London recently, with thieves threatening crypto holders with violence unless they transfer over their digital currencies held in mobile phone wallets or on crypto exchanges.

As detailed by The Guardian UK, crime reports from the City of London police detail how thousands of dollars worth of crypto has been stolen by thugs in person. One victim said their phone had been pick-pocketed while out drinking and they later realized over $12,000 worth of Ethereum (ETH) had been siphoned from their Crypto.com account. The victims believes the thieves witnessed them type in their account pin.

Another victim was approached by a group offering to sell him cocaine and after moving to another location to buy the drugs, the person was held against a wall whilst the gang accessed his phone and crypto account using facial verification, transferring over $7,000 worth of Ripple (XRP) to their own wallets.

This is an increasingly common variation on what is termed a “$5 wrench attack”.

As blockchain transactions are irreversible and most methods of cryptocurrency storage place responsibility for security of the assets with the individual who owns them, Cointelegraph spoke with blockchain security firm BlockSec who shared the following tips on how to protect crypto from a mugging:

“Do not deposit a large amount of crypto in a wallet or exchange app. Only leave a small portion in there. You can have a multi-sig wallet and with a policy saying only two signers can move the money in the wallet. By doing so, only a small amount of crypto will be lost during the mugging.”

BlockSec also suggested a way to trick thieves if a crypto user is mugged, saying some smart phones can have different logins which can hide certain applications such as Huawei’s “PrivateSpace” feature:

“The apps in the 'PrivateSpace' are different from the main ones actually used. So if the users are mugged they can enter into the 'PrivateSpace' showing that they don’t have any crypto apps installed on their phone, or vice versa, can hide crypto apps in this space.”

Samsung phones have a similar feature called a “secure folder” which can be used to hide all your crypto applications behind a PIN or password and the folder itself can also be hidden from the home screen.

On Apple iPhones apps can be moved to one page on the home screen and hidden all at once, and there are further options such as removing an individual app from showing on the home screen only to be accessed via search.

Cointelegraph also spoke with a pseudonymous Twitter user and independent security researcher known as “CIA Officer” popular for creating and sharing guides and tips on how crypto users can harden security of their assets.

CIA Officer shared an article they wrote in April featuring 13 tips on the principles of storing cryptocurrencies, saying:

“I wrote the article because my sense of justice just pushes me forward because maybe the biggest threat to crypto is crypto scams as people just get disappointed and leave forever.”

In the article, CIA Officer gives a reminder that mobile wallets like MetaMask are only interfaces and recommends storing all crypto on a cold wallet such as Ledger or Trezor as opposed to keeping it on an exchange or in a mobile wallet.

Related: Warning: Smartphone text prediction guesses crypto hodler’s seed phrase

A physical storage device will keep all crypto offline and assets can only be moved if someone has access to the wallet along with knowing the PIN and in some cases a password. One can even be created using an old smartphone rather than using a dedicated device.

The crypto stored on the cold wallet can be further security hardened and CIA Officer echoes the advice from BlockSec to set up a multi-signature wallet th uses two or even three separate devices to approve a transaction.

CIA Officer also shared their rules for crypto OpSec, which is shorthand for “operational security” a process of risk management with the goal of preventing leaks of sensitive information.

“You should build your own stone wall of OpSec, so you'll know perfectly what to do if something happens.”

In light of the muggings, such OpSec measures include keeping any crypto investments a total secret. Potential thieves in public settings could overhear a discussion or even witness a person’s crypto holdings, as in the above case where the victim was pickpocketed.

“Being suspicious is always a good thing,” CIA Officer writes, “you may try to be hacked through acquaintances, either those pretending to be acquaintances or acquaintances themselves.”

4 more virtual asset trading platforms licensed in Hong Kong

Bored Ape Yacht Club’s Apecoin DAO Airdrops Millions of Apecoins to NFT Owners

Bored Ape Yacht Club’s Apecoin DAO Airdrops Millions of Apecoins to NFT OwnersDuring the last 24 hours, the cryptocurrency community has been discussing the launch of a new token called apecoin (APE), released by the newly-formed Apecoin DAO. At launch, the token exchanged hands for $10.36 per coin, but dropped more than 40% to $6.21. Since the token’s all-time low and Bored Ape Yacht Club (BAYC) owners […]

4 more virtual asset trading platforms licensed in Hong Kong