December hack city
Are your favorite projects safe?
107 / Examining the use of CVEs in reporting vulnerabilities within Ethereum projects, recent authorization attacks on protocols like Floor and NFT Trader, and discussing whether an exploit in Bitcoin inscriptions is a feature or a bug.
Timeline
Episode notes
Edit these notes…- Example of a CVE report against an Ethereum project here’s one CVE-2019-20809
- Floor protocol was attacked
- NFT Trader was attacked
- Bitcoin inscriptions was reported as CVE-2023-50428, bug or feature?
- Must read: what happens when you report a zero-day to a bank?
@037 rugpull review
- Using CVE for vulnerabilities
- But in Ethereum you barely get them, here’s one CVE-2019-20809
- Some recent authorization attacks
- Fix involves removing delegation from two addresses: 0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af
- Flooring Protocol
- https://fp.io/
- Fix involves removing delegation from two addresses: 0x49AD262C49C7aA708Cc2DF262eD53B64A17Dd5EE and 0x3eb879cc9a0Ef4C6f1d870A40ae187768c278Da2
- “The hacker reportedly sold the pilfered digital assets on the Blur NFT marketplace, amassing between $1.5 million and $1.6 million.”
- Nft News https://nft.news/new-hack-report-flooring-protocol-hacked/
- https://www.nfttrader.io/
- Hacker retuned stolen NFTs, got 10% bounty reward: https://twitter.com/BoringSecDAO/status/1736263558852497534?ref_src=twsrc%5Etfw
- Could these two exploits be related? to https://www.bleepingcomputer.com/news/security/multiple-nft-collections-at-risk-by-flaw-in-open-source-library/
- Zerodium is 1.5m for an Apple vuln. In crypto is 100x
- Ledger Connect Kit NPM library
- “former Ledger employee was victim of a phishing attack on Thursday, which gave the hackers access to their former employee’s NPMJS account, which is a software registry that was acquired by GitHub. From there, the hackers published a malicious version of the Ledger Connect Kit.”
- TechCrunch https://techcrunch.com/2023/12/14/supply-chain-attack-targeting-ledger-crypto-wallet-leaves-users-hacked/
- “The exploit ran for less than two hours and was deactivated within 40 minutes of discovery and was limited to third-party decentralized applications (DApps)”
- CoinTelegraph https://cointelegraph.com/news/ledger-ceo-explains-hack-calls-it-isolated-incident
- The drainer step by step: https://x.com/aronvanammers/status/1735328765117452305?s=20
- Revoke.cash now has exploit check
- CVE-2023-50428 “Bug or feature”