To catch up, check out the first half of 2021 in review.
Today we’ll be taking a look at the second half of 2021 and reviewing the security events that happened in the industry with the goal of educating users and developers of common pitfalls. Whilst we don’t touch too much on individual cases relating to NFTs, NFT theft was a very common occurrence in the last two quarters of 2021, and I expect NFT theft cases to grow in the new year.
What follows is a list of the major/noteworthy security incidents of 2021 Q3/Q4. However, we will NOT be recapping all the rug-pulls, NFT thefts, and events that occurred, as there are too many to count…
Story: Yearn Awards $200k Security Boundy to xyzaudits
TL;DR: Thankfully no funds were lost and xyzaudits responsibly disclosed a vulnerability to the Yearn team, which allowed a bad actor to liquidate an affected strategy’s (`GenLevComp` used in yvDAI 0.3.0 vault) entire debt position on Compound and profit from the liquidation fees. Yearn awarded xyzaudits with the maximum bounty reward of $200,000.
Story: MyCrypto’s Research on Twitter Reply Scam Rings
TL;DR: MyCrypto published a written report with data on the scam rings that operate on Twitter to trick users out of their cryptocurrency. These scam rings are still pretty much everywhere on “Crypto Twitter,” even months after this article was published, so it must still be profitable and Twitter has not prioritised their detection.
Story: Ransomware Hackers Demand $70M in Bitcoin
TL;DR: A group of Russian-speaking hackers claimed responsibility for a massive ransomware attack that hit 200 firms in the US and hundreds more around the world, demanding $70M in Bitcoin to restore the companies’ data.
Story: CasaHODL User Attacked by a “$5 Wrench Attack”
TL;DR: Whilst no major harm happened to the user, they were drugged by a date they met online. The attacker was then able to access the intoxicated user's phone and password manager to steal funds from centralised exchanges. However, most of the user's funds were held in their CasaHODL account, which the attacker was unable to compromise thanks to the 3-of-5 multisig that protected them.
Story: Edgar Arout Releases “Reorg as a Service” Project
TL;DR: Arout released a repository, which was more of a proof-of-concept than a fully-fledged mainnet project, in an attempt to bribe/communicate with miners to organise a block reorg. This received polarized responses from the community. However, six days later, Edgar shelved the project. Shortly after, the Flashbots Organisation released a statement on the project.
Story: Swedish Fraudster Jailed 15 Years for $16 Million Crypto Con
TL;DR: Con artist Roger Nils-Jonas Karlsson reportedly used Coinbase to review funds from would-be investors in his fraudulent program. He pled guilty to securities fraud, wire fraud, and money laundering charges.
Story: Anyswap Multichain Router V3 Exploit Statement
TL;DR: On July 10, 2021, the Anyswap V3 liquidity pool was exploited on BinanceSmartChain. The attacker deduced the private key to an MPC (multi-party computation) account and drained the pools of ~$2.3M USDC and $5.5M MIM. Anyswap replicated the attack and audited their bridges for the exploit but found no issue. They commissioned TrailOfBits for auditing.
Story: THORChain Exploited for 2400ETH
TL;DR: An attacker made use of a custom contract with Bitfrost implementation to trick the system into thinking some value was deposited whereas, in reality, it was 0. They cycled this method and each time drained more assets.
Story: Lookout Unearths Android Crypto-Mining Scams
TL;DR: Lookout, a device security vendor, identified over 170 Android apps, including 25 on the Play Store, intentionally scamming users who were interested in cryptocurrencies. The apps were designed to offer a cloud mining service, but after some analysis Lookout concluded that there was no mining happening. The apps scammed a cumulative 93,000 people.
Story: Ethereum Co-Founder Says Safety Concerns Has Him Quitting Crypto
TL;DR: Anthony Di Iorio stated he’s done with the cryptocurrency world, partially because of personal safety concerns - he’s had a personal security team with him since 2017. He wants to refocus on the philanthropy world instead.
Story: Man arrested in Connection with Alleged Role in Twitter Hack
TL;DR: On July 21, 2021, a United Kingdom citizen was arrested in Spain by Spanish National Police in connection to the 2020 Twitter hack.
Story: THORChain Hacked Again, This Time for Around ~$8M
TL;DR: Using a “sophisticated attack,” someone was able to exploit THORChains ETH Router for $8M. THORChain halted the network and offered a 10% bounty, citing a possible “whitehat” as the attack was intentionally limited.
Story: THORChain ERC20 Logic Exploited to Steal Tokens
TL;DR: The RUNE ERC20 contract had “intentional design decision” logic that allowed someone to steal RUNE tokens from individuals. Around July 23, 2021, someone airdropped a malicious token (with manipulated price feed, showing the airdrop to be worth multiple thousands of dollars) to RUNE holders, which prompted users to try selling the token via DEX (such as Uniswap). The attack made use of calling `approve()` (a seemingly innocent function call), which relayed a call to `transfer()` on the RUNE contract, which was guarded by `tx.origin` instead of `msg.sender`.
Story: Monero’s Former Maintainer Arrested in the US for Allegations Unrelated to Cryptocurrency
TL;DR: A popular figure within the Monero ecosystem - fluffypony/Riccardo Spagni - was arrested in the United States at the request of the South African government for fraud charges that date back to 2009-2011.
Story: BitcoinSV Experiences a Massive 51% attack
TL;DR: On Aug 3, 2021, some “serious hashing power” was unleashed on BSV, causing a 51% attack with the biggest reorg being 14 blocks deep and three versions of the chain were being mined simultaneously.
Story: PopsicleFinance Exploited for ~$25M
TL;DR: Although having conducted multiple audits, attackers exploited PopsicleFinance for the sum of ~$25M. According to researcher Mudit Gupta, the hack “was complex but the bug was simple.”
Story: $600M Stolen in Compromised Key Attack with PolyNetwork
TL;DR: In a series of events, after following one of the largest economical on-chain hacks to date, the hacker blogged their thoughts on chain. After some days, PolyNetwork claimed they recovered the entirety of the funds.
Story: $7M Drained from DAOMaker
TL;DR: Although the smart contract for DAOMaker was not verified (we only know the bytecode), someone managed to exploit the logic to eventually call `withdrawFromUser()` function to drain the contract.
Story: Japanese Exchange Liquid Hacked for $80M
TL;DR: CoinTelegraph identified 107BTC, 9000000TRX, 11000000XRP, and ~$60M ETH that were taken by hackers from Liquid’s warm wallets.
Story: BitConnect Promoters Pay $12M in Cash, Bitcoin to Settle $2B alleged scam
TL;DR: BitConnect shut down in 2018 but many promoters of the alleged Ponzi scheme reached a settlement with the SEC. Later, director and promoter Glenn Arcaro pleaded guilty.
Story: Alleged Dogecoin Mining Scam Rakes in $119M
TL;DR: Dogecoin branding was used to steal from ~1,500 people to the tune of $119M, according to local media in Turkey. The scam involved selling mining contracts to people with the promise of “100% returns.”
Story: Coinbase Sent Erroneous Notifications to 125k Customers About Their 2FA
TL;DR: On August 28, 2021, Coinbase sent a series of tweets explaining the erroneous notifications that were sent to 125k customers about having their 2FA settings changed.
Story: C.R.E.A.M v1 Suffers an Exploit
TL;DR: CreamFinance issued a statement about an exploit that harnessed a contract standard to perform a re-entrancy attack, draining the C.R.E.A.M pool of 418,311,571 AMP and 1,308.09 ETH.
Story: Launchpad Service Miso Exploited by Supply Chain Attack
TL;DR: A launchpad service by SushiSwap was hacked, causing the platform to lose/misdirect 864.8ETH. SushiSwap’s investigation led to the discovery that an anonymous contractor called “AristoK3” was the culprit who committed the malicious code. The funds were later returned.
Story: Bridging Protocol pNetwork Suffers $12M Hack
TL;DR: A bug in the pNetwork code caused 277 BTC to be stolen from the protocols bridge on Binance Smart Chain. pNetwork tweeted about it and offered a $1.5M bounty if funds were returned.
Story: IndexedFinance Hacked for $16M
TL;DR: Through two transactions (targeting DEFI5 and CC10), Indexed Finance was exploited via a vulnerability in the way the pool value was calculated. PeckShield wrote a great mini postmortem about it.
Story: Teen Steals $16M and Tests “Code is Law”
TL;DR: Following the IndexedFinance exploit, a discussion in the exploit “war room” led experts to believe they have found the attacker’s real-world identity; an 18-year-old mathematics student called “Andy.” IndexedFinance stated that Andy refuses to return the funds under the assertion that he “executed a full legal arbitrage trade.”
Story: Polygon Double-Spend Bug Fix - $2M Bounty
TL;DR: A whitehat hacker named Gerhard Wagner submitted a bug on October 5th, 2021, describing an exploit on the bridge that allowed for multiple exits using the same funds - up to 223 times. Polygon confirmed the bug within 30 minutes of the report and began fixing it.
Story: Airdrop Scams Start to Become More Common
TL;DR: Coinbase, MyCrypto, and others began to see a common occurrence of airdrop scams whereby tokens are sent to your address and when you try to transfer/sell them via Uniswap, they revert and you are directed to a website that tries to scam you out of your highest holding assets.
Story: Cryptocurrency Loan Platform Implodes in $130M Hack
TL;DR: For the third time, C.R.E.A.M suffered another hack that resulted in a $130M loss to the protocol. This attack was performed via flash loan with an incredibly complex transaction.
Story: Oracle Manipulation on Fuse Pool #23
TL;DR: On November 2, 2021, a Rari Capital product (Fuse) experienced an oracle pricing manipulation on the VUSD assets and drained the pool (id 23).
Story: Revealed: The Cryptoqueen’s £13.5m London Penthouse
TL;DR: During a trial in Germany, a penthouse property belonging to Dr. Ruja Ignatova, the founder of money laundering operation OneCoin. A BBC article highlighted details of the penthouse, as well as the apparently despondent state of a pair of men who had worked for her. Ignatova vanished in 2021 with $13B.
Story: SilkRoad Admin Forfeits $667K Worth of Bitcoin to British Authorities
TL;DR: Thomas White was ordered to forfeit his Bitcoin holdings after having pleaded guilty in 2019 to crimes committed while acting as administer to the SilkRoad.
Story: DeFi Protocol bZx Compromised Again: $55M Stolen in Private Key Leak
TL;DR: The private key that controls the project’s deployment on Polygon and Binance Smart Chain was compromised, and a suspected $55M was siphoned from attackers.
Story: Unlock Protocol Attack Post-Mortem
TL;DR: Unlock Protocol published a post-mortem about their attack that involved a private key compromise that caused some tokens to be dumped on Uniswap, sending the price of the token into a freefall.
Story: DeFi Protocol BadgerDAO Exploited for $120M in Front End attack
TL;DR: Another large attack on a cryptocurrency protocol resulted in $120M being stolen from BadgerDAO users. The front end was compromised and prompted some users to give spending access to the attacker. One user lost ~$50M in a single transaction. BadgerDAO released a technical post-mortem some days later.
Story: Indian Prime Minister Suffers a Twitter Hack, Sends Tweet Promising Bitcoin
TL;DR: The account was restored quickly, but the hacker had enough time to tweet that India had adopted Bitcoin as legal tender and the Indian government had bought 500 Bitcoin.
