Euler Finance hacked despite 10 audits in 2 years, says CEO

March 17, 2023 Coin Telegraph

audit

Euler Labs CEO Michael Bentley stated he will “never forgive” the hacker as the exploit caused him to lose time with his newborn son.

Ten separate audits conducted over a two-year period of the Ethereum-based lending protocol Euler Finance deemed it to be “nothing higher than low risk” and having “no outstanding issues” prior to it suffering from a $196 million attack.

In a series of tweets on March 17 Euler Labs CEO, Michael Bentley described the “hardest days” of his life after Euler’s $196 million flash loan attack on March 13.

He retweeted one user sharing information that Euler had 10 audits from 6 different firms, and commented that the platform “has always been a security-minded project.”

Euler has always been a security-minded project. The Euler smart contracts, including the vulnerable lines of code, were audited.https://t.co/SvNeoKEGuY
— Michael Bentley (@euler_mab) March 16, 2023

Blockchain security firms including Halborn, Solidified, ZK Labs, Certora, Sherlock and Omnisica conducted smart contract audits on Euler Finance from May 2021 to September 2022.

Halborn ranked its risk assessment by measuring the “likelihood of a security incident” and the impact it may have, with the risk level ranging from very low and informational, to critical — Euler received “nothing higher than low risk.”

It was revealed in a Dec. 2022 summary of Halborn’s audit that it had found “an overall satisfactory result.”

The summary stated 23 smart contracts were “inspected and analyzed” by Halborn over a one-month period, of which only “two low risks and three informational” risks were identified.

Euler stated it had reviewed Halborn’s coverage and concluded the risks “pose no significant threats.”

Blockchain security firm Omnisica addressed some “incorrect paradigms” in Euler’s base swapper implementation, as well as how the swap mode was “handled by the codebase” — but stated in the report that these issues were “properly dealt” with by Euler, and “no outstanding issues” remained.

On March 16 the protocol’s hacker began moving funds through crypto mixer Tornado Cash only hours after a $1 million bounty was launched by Euler for information leading to the hacker’s arrest.

In his recent Twitter thread Bentley said he’ll never “forgive the attacker” as he was forced to “sacrifice time” with his newborn son due to the attack but thanked security experts who are “working on leads” for the investigation.

Only 24 hours prior to the bounty, Euler issued a warning saying it would launch a one “that leads to your arrest and the return of all funds” if 90% wasn’t returned within 24 hours.

More than 280 blockchains at risk of ‘zero-day’ exploits, warns security firm

March 14, 2023 Coin Telegraph

blockchain exploit

Dogecoin, Zcash and Litecoin have already patched the “critical” vulnerability, but hundreds of others may not have, risking billions’ worth of crypto.

More than 280 blockchain networks are at risk of “zero-day” exploits that could put at least $25 billion worth of crypto at risk, according to cybersecurity firm Halborn.

In a March 13 blog post, Halborn warned of the vulnerability it dubbed “Rab13s” — adding it has already worked with some blockchains, such as Dogecoin, Litecoin and Zcash, to institute a fix for it.

Halborn discovered massive #ZeroDay impacting Dogecoin and 280+ networks including Litecoin and Zcash, putting over $25 Billion of digital assets at risk!

...
— Halborn (@HalbornSecurity) March 13, 2023

Halborn said it was contracted in March 2022 to conduct a security review of Dogecoin’s codebase and found “several critical and exploitable vulnerabilities.”

It later determined those same vulnerabilities “affected over 280 other networks” that risked billions of dollars worth of cryptocurrencies.

Halborn outlined three vulnerabilities, the “most critical” of which allows an attacker to “send crafted malicious consensus messages to individual nodes, causing each to shut down.”

3/ The most critical vulnerability discovered is related to peer-to-peer (p2p) communications where attackers can craft consensus messages and send it to individual nodes, taking them offline.

Halborn researchers, led by @safe_buffer, have code-named this vulnerability #Rab13s.
— Halborn (@HalbornSecurity) March 13, 2023

It added these messages over time could expose the blockchain to a 51% attack where an attacker controls the majority of the network’s mining hash rate or staked tokens to make a new version of the blockchain or take it offline.

Other zero-day vulnerabilities it found would allow potential attackers to crash blockchain nodes by sending Remote Procedure Call (RPC) requests — a protocol allowing a program to communicate and request services from another.

7/ Secondly, attackers can execute code through the public interface (RPC) as a normal node user. Since a valid credential is required to carry out the attack, the likelihood of this exploit is lower.
— Halborn (@HalbornSecurity) March 13, 2023

It added the likelihood of RPC-related exploits was lower as it requires valid credentials to undertake the attack.

“Due to codebase differences between the networks not all the vulnerabilities are exploitable on all the networks, but at least one of them may be exploitable on each network,” Halborn warned.

The firm said at this time it’s not releasing further technical details of the exploits due to their severity and added it made a “good faith effort” to contact all affected parties to disclose the potential exploits and provide remediation for the vulnerabilities.

Dogecoin, Zcash and Litecoin have already implemented patches for the discovered vulnerabilities, but hundreds could still be exposed, according to Halborn.

Here’s how to quickly spot a deepfake crypto scam — cybersecurity execs

January 13, 2023 Coin Telegraph

blockchain security firm

The fast-paced nature of the crypto markets means investors are under massive pressure to quickly verify whether a video message is authentic or not.

Crypto investors have been urged to keep their eyes peeled for “deepfake” crypto scams to come, with the digital-doppelganger technology continuing to advance, making it harder for viewers to separate fact from fiction.

David Schwed, the chief operating officer of blockchain security firm Halborn, told Cointelegraph that the crypto industry is more “susceptible” to deepfakes than ever because “time is of the essence in making decisions,” which results in less time to verify the veracity of a video.

Deepfakes use deep learning artificial intelligence (AI) to create highly realistic digital content by manipulating and altering original media, such as swapping faces in videos, photos, and audio, according to OpenZeppelin technical writer Vlad Estoup.

Estoup noted that crypto scammers often use deepfake technology to creat fake videos of well-known personalities to execute scams.

An example of such a scam was a deepfake video of FTX’s former CEO in November, where scammers used old interview footage of Sam Bankman-Fried and a voice emulator to direct users to a malicious website promising to “double your cryptocurrency.”

Over the weekend, a verified account posing as FTX founder SBF posted dozens of copies of this deepfake video offering FTX users "compensation for the loss" in a phishing scam designed to drain their crypto wallets pic.twitter.com/3KoAPRJsya
— Jason Koebler (@jason_koebler) November 21, 2022

Schwed said that the volatile nature of crypto causes people to panic and take a “better safe than sorry” approach, which can lead to them getting suckered into deepfake scams. He noted:

“If a video of CZ is released claiming withdrawals will be halted within the hour, are you going to immediately withdraw your funds, or spend hours trying to figure out if the message is real?”

However, Estoup believes that while deepfake technology is advancing at a rapid rate, it’s not yet “indistinguishable from reality.”

How to spot a deepfake: Watch the eyes

Schwed suggests one useful way to quickly spot a deepfake is to watch when the subject blinks their eyes. If it looks unnatural, there’s a good chance it’s a deepfake.

This is due to the fact that deepfakes are generated using image files sourced on the internet, where the subject will usually have their eyes open, explains Schwed. Thus, in a deepfake, the blinking of the subject’s eyes needs to be simulated.

Hey @elonmusk & @TuckerCarlson have you seen, what I assume is #deepfake paid ad featuring both of you? @YouTube how is this allowed? This is getting out of hand, its not #FreeSpeech it’s straight #fraud: Musk Reveals Why He Financial Supports To Canadians https://t.co/IgoTbbl4fL pic.twitter.com/PRMfiyG3Pe
— Matt Dupuis (@MatthewDupuis) January 4, 2023

Schwed said the best identifier of course is to ask questions that only the real individual can answer, such as “what restaurant did we meet at for lunch last week?”

Estoup said there is also AI software available that can detect deepfakes and suggests one should look out for big technological improvements in this area.

He also gave some age-old advice: “If it’s too good to be true, it probably is.”

Last year, Binance’s chief communications officer, Patrick Hillman, revealed in an August blog post that a sophisticated scam was perpetrated using a deepfake of him.

Hillman noted that the team used previous news interviews and TV appearances over the years to create the deepfake and “fool several highly intelligent crypto members.”

He only became aware of this when he started to receive online messages thanking him for his time talking to project teams about potentially listing their assets on Binance.com.

Earlier this week, blockchain security firm SlowMist noted there were 303 blockchain security incidents in 2022, with 31.6% of them caused by phishing, rug pulls and other scams.

MetaMask warns of security vulnerability from older versions of popular crypto wallet

June 15, 2022 Coin Telegraph

Coin Telegraph

"Ultimately, we've learned that our password encryption feature's security was partially undermined by browser behavior," said the team at MetaMask.

On Wednesday, MetaMask said that it uncovered a critical security vulnerability in older versions of its crypto wallet with the help of security researchers at Halborn. The security firm was awarded a bounty of $50,000 for the discovery.

For users of the MetaMask extension before version 10.11.3, three necessary conditions would have led to the potential vulnerability. They are: 1) an unencrypted hard drive, 2) having imported a secret recovery phrase into a MetaMask extension on a device that was compromised, stolen, or has unauthorized access, and 3) having used the "Show Secret Recovery Phrase" checkbox to view one's secret recovery phrase on-screen during the import process.

"We've only found that the Secret Recovery Phrase could be extracted under very specific circumstances, and we've been able to introduce new protections over the period that Halborn has waited to disclose."

Apparently, the exploit affects all browser versions of MetaMask wallet versions prior to the 10.11.3 update, and all operating systems if all three circumstances were met, but not mobile versions.

MetaMask is warning affected users to migrate their funds from their compromised wallets. However, keep in mind that all three conditions need to have been met for the vulnerability to be active on older versions of MetaMask.

Halborn

How to spot a deepfake: Watch the eyes

Share this video