December hack city
Are your favorite projects safe?

107 / Examining the use of CVEs in reporting vulnerabilities within Ethereum projects, recent authorization attacks on protocols like Floor and NFT Trader, and discussing whether an exploit in Bitcoin inscriptions is a feature or a bug.

Timeline

00:00 Intro

00:33 Try Auphonic

01:31 December hack city

02:19 What is CVE

05:08 NFT approvals

05:59 The 10% bounty

09:49 Ledger hack

11:48 Revoke.cash reports

12:21 Ordinals "bug"

Participants

@037

AKM

@begumbitir

???

@VjDeliria

Vj Deliria

@0x7jay

Jay Chen

@

@

Episode notes

• Example of a CVE report against an Ethereum project here’s one CVE-2019-20809
• Floor protocol was attacked
• NFT Trader was attacked
• Bitcoin inscriptions was reported as CVE-2023-50428, bug or feature?
• Must read: what happens when you report a zero-day to a bank?

@037 rugpull review

• Using CVE for vulnerabilities
  • But in Ethereum you barely get them, here’s one CVE-2019-20809
• Some recent authorization attacks
  • Fix involves removing delegation from two addresses: 0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af
  • Flooring Protocol
    • https://fp.io/
    • Fix involves removing delegation from two addresses: 0x49AD262C49C7aA708Cc2DF262eD53B64A17Dd5EE and 0x3eb879cc9a0Ef4C6f1d870A40ae187768c278Da2
    • “The hacker reportedly sold the pilfered digital assets on the Blur NFT marketplace, amassing between $1.5 million and $1.6 million.”
    • Nft News https://nft.news/new-hack-report-flooring-protocol-hacked/
  • https://www.nfttrader.io/
    • Hacker retuned stolen NFTs, got 10% bounty reward: https://twitter.com/BoringSecDAO/status/1736263558852497534?ref_src=twsrc%5Etfw
  • Could these two exploits be related? to https://www.bleepingcomputer.com/news/security/multiple-nft-collections-at-risk-by-flaw-in-open-source-library/
  • Zerodium is 1.5m for an Apple vuln. In crypto is 100x
• Ledger Connect Kit NPM library
  • “former Ledger employee was victim of a phishing attack on Thursday, which gave the hackers access to their former employee’s NPMJS account, which is a software registry that was acquired by GitHub. From there, the hackers published a malicious version of the Ledger Connect Kit.”
  • TechCrunch https://techcrunch.com/2023/12/14/supply-chain-attack-targeting-ledger-crypto-wallet-leaves-users-hacked/
  • “The exploit ran for less than two hours and was deactivated within 40 minutes of discovery and was limited to third-party decentralized applications (DApps)”
  • CoinTelegraph https://cointelegraph.com/news/ledger-ceo-explains-hack-calls-it-isolated-incident
    • The drainer step by step: https://x.com/aronvanammers/status/1735328765117452305?s=20
• Revoke.cash now has exploit check
• CVE-2023-50428 “Bug or feature”
  • https://www.bicatalyst.ch/blog/everything-you-need-to-know-about-bitcoin-vulnerability-cve-2023-50428