Major Cryptocurrency ATM Manufacturer General Bytes Hacked, Over $1.5M in Bitcoin Stolen

March 19, 2023 Bitcoin.com

More than 280 blockchains at risk of ‘zero-day’ exploits, warns security firm

March 14, 2023 Coin Telegraph

Dogecoin, Zcash and Litecoin have already patched the “critical” vulnerability, but hundreds of others may not have, risking billions’ worth of crypto.

More than 280 blockchain networks are at risk of “zero-day” exploits that could put at least $25 billion worth of crypto at risk, according to cybersecurity firm Halborn.

In a March 13 blog post, Halborn warned of the vulnerability it dubbed “Rab13s” — adding it has already worked with some blockchains, such as Dogecoin, Litecoin and Zcash, to institute a fix for it.

Halborn discovered massive #ZeroDay impacting Dogecoin and 280+ networks including Litecoin and Zcash, putting over $25 Billion of digital assets at risk!

...
— Halborn (@HalbornSecurity) March 13, 2023

Halborn said it was contracted in March 2022 to conduct a security review of Dogecoin’s codebase and found “several critical and exploitable vulnerabilities.”

It later determined those same vulnerabilities “affected over 280 other networks” that risked billions of dollars worth of cryptocurrencies.

Halborn outlined three vulnerabilities, the “most critical” of which allows an attacker to “send crafted malicious consensus messages to individual nodes, causing each to shut down.”

3/ The most critical vulnerability discovered is related to peer-to-peer (p2p) communications where attackers can craft consensus messages and send it to individual nodes, taking them offline.

Halborn researchers, led by @safe_buffer, have code-named this vulnerability #Rab13s.
— Halborn (@HalbornSecurity) March 13, 2023

It added these messages over time could expose the blockchain to a 51% attack where an attacker controls the majority of the network’s mining hash rate or staked tokens to make a new version of the blockchain or take it offline.

Other zero-day vulnerabilities it found would allow potential attackers to crash blockchain nodes by sending Remote Procedure Call (RPC) requests — a protocol allowing a program to communicate and request services from another.

7/ Secondly, attackers can execute code through the public interface (RPC) as a normal node user. Since a valid credential is required to carry out the attack, the likelihood of this exploit is lower.
— Halborn (@HalbornSecurity) March 13, 2023

It added the likelihood of RPC-related exploits was lower as it requires valid credentials to undertake the attack.

“Due to codebase differences between the networks not all the vulnerabilities are exploitable on all the networks, but at least one of them may be exploitable on each network,” Halborn warned.

The firm said at this time it’s not releasing further technical details of the exploits due to their severity and added it made a “good faith effort” to contact all affected parties to disclose the potential exploits and provide remediation for the vulnerabilities.

Dogecoin, Zcash and Litecoin have already implemented patches for the discovered vulnerabilities, but hundreds could still be exposed, according to Halborn.

Hacker returns stolen funds to Tender.fi, gets $97K bounty reward

March 7, 2023 Coin Telegraph

Hacker returns stolen funds to Tender.fi, gets K bounty reward

Coin Telegraph

The bounty, which was offered via an on-chain message was approximately $97,000 or approximately 6% of the exploit amount.

The hacker behind the exploit of the decentralized finance (DeFi) lending platform Tender.fi has returned the stolen funds for a $97,000 bounty reward in Ether (ETH).

The exploit was executed at 10:28 am UTC on Mar. 7, with Tender.fi confirming the incident on Twitter soon after citing “an unusual amount of borrows,” and adding it has paused all borrowing.

Blockchain data showed the exploiter used a price oracle glitch to borrow $1.59 million worth of assets from the protocol by depositing 1 GMX token, valued at around $71.

“It looks like your oracle was misconfigured. contact me to sort this out,” wrote the hacker in an on-chain message.

*Message sent to Tender.fi from the price oracle exploiter. Source: Arbiscan*

Eight hours later, the DeFi protocol announced it had come to an agreement with the “White Hat” exploiter, in which the hacker would repay all loans minus a 62.16 ETH “bounty,” worth around $97,000 at current prices.

Translation: The White Hat will repay all loans minus 62.158670296 ETH, which will be kept as a Bounty for helping secure the protocol. The https://t.co/H4ZMPLH9pz Team will repay the Bounty s value to the protocol, so that there will be no bad debt and users will remain… https://t.co/5bbmKu7zEe
— Tender.fi (@tender_fi) March 7, 2023

Another hour later, Tender.fi confirmed on Twitter that the exploiter had completed the loan repayments.

“Funds are officially SaFu, post mortem on the way,” it wrote.

Last year in August, cross-chain Nomad Bridge appealed to exploiters that participated in a smart contract exploit that extracted $190 million in funds from the bridge in less than three hours.

Mere hours later, approximately $32.6 million worth of funds were already returned, suggesting some of the exploiters may have been white hat hackers attempting to extract funds for a later safe return.

Later in the month, nonfungible token (NFT) firm Metagame even offered a “Whitehat Prize” in the form of an NFT for anyone that proved they returned at least 90% of the funds they stole from the protocol.

1/ Our friends at @metagame created an earned NFT as a thank you to whitehats who returned funds from the Nomad Bridge Hack. Head over https://t.co/TWwuJwnRXj to claim it! pic.twitter.com/V87rkGhBEE
— Nomad (⤭⛓) (@nomadxyz_) August 23, 2022

Blockchain data from the Official Nomad Funds Recovery Address shows that funds continued to be returned to the recovery address since then, with the latest transaction recorded on Feb. 18, 2023, for $7,868 in Covalent Query Token (CQT).

Tornado Cash dev says ‘sequel’ to crypto mixer aims to be regulator-friendly

March 7, 2023 Coin Telegraph

Alexey Pertsev

Soleimani explained that the “critical flaw” with Tornado Cash is that users cannot prove that they’re not associated with a criminal enterprise stealing or laundering crypto funds.

A former Tornado Cash developer claims to be building a new crypto mixing service that aims to solve a “critical flaw” of the sanctioned crypto mixer — which he hopes will convince U.S. regulators to reconsider its position on privacy mixers.

The code of a new Ethereum-based mixer, “Privacy Pools,” was launched on GitHub on Mar. 5 by its creator, Ameen Soleimani.

In a 22-part Twitter thread, Soleimani explained that the “critical flaw” with Tornado Cash is that users cannot prove that they’re not associated with North Korea’s Lazarus Group or any criminal enterprise for that matter.

1/ We fixed @tornadocash

v0 of https://t.co/Nt4b2Tgx1D is live on @optimismFND

test out the demo, but please note:
- this is experimental code
- it has not been audited
- the trusted setup is untrusted

read the full story anon https://t.co/9nAU3RrgpN
— ameen.eth (@ameensol) March 4, 2023

With Privacy Pools, however, Soleimani explained that depositors and withdrawers could opt out of an anonymity set that contains an address associated with stolen or laundered funds.

This feature of Privacy Pools is executed with zero-knowledge (ZK) proofs, meaning that the privacy of the user is preserved:

“Now, users have the option to help regulators isolate illicit funds, without revealing their entire transaction history [...] With privacy pools, just because someone deposits into the same smart contract as you, it doesn't mean they can also force you into sharing an anonymity set with them. It's your choice.”

Soleimani provided a demonstration of how Privacy Pools is used:

13/ Our demo is live - https://t.co/Nt4b2Tgx1D

Now, users have the option to help regulators isolate illicit funds, without revealing their entire transaction history.

Let's watch a brief video of it in action: pic.twitter.com/An9lWx6jfr
— ameen.eth (@ameensol) March 4, 2023

The developer hopes the solution will empower “the community to defend against hackers abusing the anonymity sets of honest users without requiring blanket regulation or sacrificing on crypto ideals.”

While Privacy Pools is already live on Optimism, Soleimani noted that the first version of the privacy protocol is still in its “experimental” stage because the code isn’t complete and has not been audited, but he is “pretty close to having this ready.”

To see the protocol progress further, Soleimani wants on-chain forensics platforms like Chainlaysis and TRM Labs to conduct tracebacks on deposits so that users of the privacy tool don’t have to manually create their own subset exclusion lists.

In making the case for on-chain privacy protocols, Soleimani cited what he described as an “excellent” report by the Federal Reserve Bank of St. Louis in Missouri which examined the trade-offs between on-chain privacy and regulation:

“Their report proposes to achieve effective regulation by having Tornado Cash users provide receipts to an intermediary, thus revealing their entire transaction history to the intermediary, but still being able to have privacy with respect to other public blockchain users.”

The developer hopes this can help “start a conversation” with U.S. regulators on how on-chain privacy can be preserved whilst restricting criminal activity through the use of ZK proofs.

Soleimani’s attempt to create a crypto-friendly on-chain privacy solution comes after the U.S. Office of Foreign Asset Control (OFAC) sanctioned ETH and USDC addresses linked to Tornado Cash on Aug. 8 in response to several alleged thefts by North Korea’s Lazarus Group, who were claimed to have routinely used the privacy mixer to preserve its anonymity.

*Photograph of a #FreeAlex protest. Source: Ameen.eth Twitter*

Shortly after the sanction on Aug. 10, Alexey Pertsev, the creator of Tornado Cash was arrested by authorities in the Netherlands and is currently facing a series of money laundering charges. He remains behind bars and his next hearing will take place in late April.

BitKeep remains on track to fully compensate victims of $8M APK exploit

March 2, 2023 Coin Telegraph

BitKeep

The company says users' losses will be 100% reimbursed by mid-March.

According to an official Telegram statement on March 1, Singaporean cross-chain crypto wallet developer BitKeep says it has reimbursed 50% of user assets lost during a security breach stemming from Dec. 26, 2022. On the date of the incident, an estimated $8 million was stolen by hackers after BitKeep's APK 7.2.9 (Android Package Kit) installation package was hijacked and swapped. Users who downloaded the malware subsequently saw their private keys compromised, leading to the theft of assets.

As told by BitKeep, a total of 6,731 verified addresses were breached during the incident. The firm has since completed reimbursing 50% of stolen assets in the affected addresses, with "expedited processing" for the remaining 50% of funds. BitKeep says it will complete its compensation plan ahead of schedule and release the remaining funds within two weeks.

In a statement to Cointelegraph, a spokesperson for BitKeep said the company has yet to recover the remaining assets through law enforcement efforts, and all reimbursements are "currently coming out of the company's own pockets, including those to be completed in the near future." As told by the spokesperson:

"BitKeep is adamant about the safety of users' assets and that is why we have stepped up to take responsibility for all damages as a result of the incident. Users' losses are being compensated by BitKeep's 2022 revenue and its Secure Assets Fund, and we will complete all reimbursements by March. Finally, we would like to express our gratitude to our users for their trust and support, as well as to our partners for working with us to overcome the recent challenges."

On Dec. 29, three days after the incident, BitKeep announced that it had alerted law enforcement and would reimburse 100% of users' losses. The wallet currently has over 8 million users worldwide. Last May, the firm raised $15 million in its Series A at a valuation of $100 million.

Dear BitKeepers:

Our team has been doing its best to review various compensation possibilities to recover the losses for our users involved since the 729 APK hack safely. The latest update of compensations is as follows:

1/4
— BitKeep Wallet (@BitKeepOS) March 2, 2023

Norwegian Authorities Seize Nearly $6,000,000 in Crypto Stolen in 2022 Hack on Axie Infinity (AXS) Ronin Network

February 17, 2023 The Daily Hodl

Wormhole hacker moves another $46M of stolen funds

February 13, 2023 Coin Telegraph

Wormhole hacker moves another M of stolen funds

Arbitrage

The Wormhole exploiter appears to be seeking arbitrage opportunities with Ethereum-pegged assets.

The ill-gotten crypto from one of the industry’s largest exploits is on the move again, with on-chain data showing another $46 million of stolen funds has just shifted from the hacker’s wallet.

The Wormhole attack was the third largest crypto hack in 2022 resulting from an exploit of Wormhole’s token bridge in February 2022. Around $321 million of Wrapped ETH (wETH) was stolen.

According to blockchain security firm PeckShield, the hacker’s associated wallet has become active once again, moving d $46 million worth of crypto assets.

This was made up of around 24,400 of Lido Finance-wrapped Ethereum staking token (wstETH), worth approximately $41.4 million and 3,000 Rocket Pool Ethereum staking token (rETH), worth about $5 million, which was moved to MakerDAO.

The hacker appears to be seeking yield or arbitrage opportunities on their stolen loot as the assets were exchanged for 16.6 million DAI, PeckShield reported.

The MakerDAO stablecoin was then used to buy 9,750 ETH priced at around $1,537 and 1,000 stETH. These were then wrapped back into 9,700 wstETH.

#PeckShieldAlert The Wormhole Network Exploiter 0x629e supplied $46M worth of cryptos, including 24.4k $wstETH ($41.4M) & 3k $rETH (~$5M), to MakerDAO for 16.6M $DAI & used them to buy 9.75k $ETH ($ETH at $1,537) & 1k $stETH ($ETH at $1,543), then wrapped them for ~9.7k $wstETH pic.twitter.com/BRfygHgpit
— PeckShieldAlert (@PeckShieldAlert) February 12, 2023

On Feb. 10, an on-chain sleuth observed that the hacker was “buying the dip.”

However, the price of Ethereum has since fallen below those levels over the past few hours. At the time of writing, ETH was trading down 2.6% on the day at $1,505 according to CoinGecko.

At the time of the transfers, stETH prices depegged from Ethereum and climbed as high as $1,570. They’re currently trading 2.4% higher than ETH at $1,541. Furthermore, wstETH also has depegged and rose to $1,676, 11.3% higher than the underlying asset.

The latest funds movement comes only a few weeks after the hacker moved another $155 million worth of Ethereum to a decentralized exchange on Jan. 24.

95,630 ETH was sent to the OpenOcean DEX and then subsequently converted into ETH-pegged assets including Lido’s stETH and wstETH.

Hack