107 / December hack city
Are your favorite projects safe?

Examining the use of CVEs in reporting vulnerabilities within Ethereum projects, recent authorization attacks on protocols like Floor and NFT Trader, and discussing whether an exploit in Bitcoin inscriptions is a feature or a bug.

Timeline

00:00 Intro

00:33 Try Auphonic

01:31 December hack city

02:19 What is CVE

05:08 NFT approvals

05:59 The 10% bounty

09:49 Ledger hack

11:48 Revoke.cash reports

12:21 Ordinals "bug"

Participants

@037

AKM

@begumbitir

???

@VjDeliria

Vj Deliria

@0x7jay

Jay Chen

@

@

Episode notes

• Example of a CVE report against an Ethereum project here’s one CVE-2019-20809
• Floor protocol was attacked
• NFT Trader was attacked
• Bitcoin inscriptions was reported as CVE-2023-50428, bug or feature?
• Must read: what happens when you report a zero-day to a bank?

@037 rugpull review

• Using CVE for vulnerabilities
  • But in Ethereum you barely get them, here’s one CVE-2019-20809
• Some recent authorization attacks
  • Fix involves removing delegation from two addresses: 0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af
  • Flooring Protocol
    • https://fp.io/
    • Fix involves removing delegation from two addresses: 0x49AD262C49C7aA708Cc2DF262eD53B64A17Dd5EE and 0x3eb879cc9a0Ef4C6f1d870A40ae187768c278Da2
    • “The hacker reportedly sold the pilfered digital assets on the Blur NFT marketplace, amassing between $1.5 million and $1.6 million.”
    • Nft News https://nft.news/new-hack-report-flooring-protocol-hacked/
  • https://www.nfttrader.io/
    • Hacker retuned stolen NFTs, got 10% bounty reward: https://twitter.com/BoringSecDAO/status/1736263558852497534?ref_src=twsrc%5Etfw
  • Could these two exploits be related? to https://www.bleepingcomputer.com/news/security/multiple-nft-collections-at-risk-by-flaw-in-open-source-library/
  • Zerodium is 1.5m for an Apple vuln. In crypto is 100x
• Ledger Connect Kit NPM library
  • “former Ledger employee was victim of a phishing attack on Thursday, which gave the hackers access to their former employee’s NPMJS account, which is a software registry that was acquired by GitHub. From there, the hackers published a malicious version of the Ledger Connect Kit.”
  • TechCrunch https://techcrunch.com/2023/12/14/supply-chain-attack-targeting-ledger-crypto-wallet-leaves-users-hacked/
  • “The exploit ran for less than two hours and was deactivated within 40 minutes of discovery and was limited to third-party decentralized applications (DApps)”
  • CoinTelegraph https://cointelegraph.com/news/ledger-ceo-explains-hack-calls-it-isolated-incident
    • The drainer step by step: https://x.com/aronvanammers/status/1735328765117452305?s=20
• Revoke.cash now has exploit check
• CVE-2023-50428 “Bug or feature”
  • https://www.bicatalyst.ch/blog/everything-you-need-to-know-about-bitcoin-vulnerability-cve-2023-50428