Cryptospace Spotlight

1. 4 Apr - DeFi platform Sentiment was exploited by attacker for an estimated $1 million. However, on 6 Apr, Sentiment team noted that the attacker behind the attack has returned 90% of all funds. [more]

   1. The attacker used a reentrancy attack to siphon the funds. The team quickly responded, plugging a fix thanks to a third-party security auditor. The specific method was described as “used view re-entrance Balancer bug to execute malicious code before pool balances were updated and steal money using overpriced collateral.”

2. 1 Apr - Cross-chain project Allbridge’s BUSD/USDT pools on Binance’s BNB Chain were exploited (due to manipulation of swap price) and led to an estimated loss of at least $570,000 worth of tokens. A few days later, Allbridge said that $467,000 worth of tokens was returned by the attacker, and the remaining unreturned tokens can be kept as white hat bounty. With the returned of tokens, Allbridge also announced its preparation of compensation plan to affected users. [more][more-securityanalysis][more-allbridge][more-allbridge2]

   1. Binance CEO indicated that Binance’s ability to identify the attacker likely helped to facilitate the return.

3. Frontrunning MEV bots: As the MEV bots tried to perform a front-run in transactions for profit, the rogue validator (created 18 days before this attack) swooped in to reorder the MEV’s transaction, leading to the $25M losses. [more][more-2][more-securityanalysis]

   1. The vulnerability was mainly due to the centralization of power in validators. The MEV executed a sandwich attack in which they front-run and then back-run a transaction in order to profit. The rogue validator front-run the MEVs back-run transaction.

4. 3CX attack: In the latest major software supply-chain attack, in which hackers who appear to be working on behalf of the North Korean government hid their code in the installer for a common VoIP application known as 3CX, seems to have had a prosaic goal in breaking into a handful of cryptocurrency companies. [more]

   1. Despite the potentially massive breadth of that attack, which SentinelOne dubbed “Smooth Operator,” Kaspersky has now found that the hackers combed through the victims infected with its corrupted software to ultimately target fewer than 10 machines—at least as far as Kaspersky could observe so far—and that they seemed to be focusing on cryptocurrency firms with “surgical precision”.

5. US Treasury on DeFi: US Treasury’s report on DeFi risk assessment noted that many groups engaged in illicit activity from North Korea benefited from some DeFi platforms’ non-compliance with certain Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) regulations. According to the report, insufficient AML/CFT controls and other shortcomings in DeFi services “enable the theft of funds”. [more][more-USTreasury]

   1. Recommendations for U.S. government actions to mitigate the illicit finance risks associated with DeFi services include, strengthening U.S. AML/CFT regulatory supervision, considering additional guidance for the private sector on DeFi services’ AML/CFT obligations.

Techrisk Select

1. ChatGPT privacy: Be very cautious on what information you intent to send to ChatGPT. OpenAI makes it explicitly clear in its privacy policy that anything you input in ChatGPT could be reviewed by OpenAI and used to improve the quality of responses and performance of ChatGPT. [more][more-ChatGPT-privacy]

2. ChatGPT adversary mode:

   1. ChatGPT would likely refused to generate output when asked to generate Operating Systems (OS) activation key. However, for less complex key of older OS, such as Windows 95, users may prompt it to generate keys by providing a set of text and number strings that matched the rules used. [more]

   2. Separately, a Forcepoint security researcher managed to get ChatGPT to write a zero-day malware after noticing loopholes due to insufficient guardrails. It is to prompt the chatbot to create separate lines of the malicious code, function by function. [more]

3. Generative AI and Intellectual Property (IP): Generative AI, which uses data lakes and question snippets to recover patterns and relationships, is becoming more prevalent in creative industries. However, the legal implications of using generative AI are still unclear. [more]

4. Post Quantum Cryptography (PQC): Commissioned by the AIVD (intelligence and security agency of the Netherlands), TNO has compiled a handbook together with CWI. This handbook offers organisations advice and concrete steps to mitigate the risk of quantum computers to cryptography. [more]

5. US National Cybersecurity Strategy [more] [more-strategypaper]