What TRG learnt this week.

In EmergingTech

1. Defending against Quantum risk: Google has announced the integration of encryption algorithms resistant to attacks using quantum computing into its Chrome browser. Google introduces a Hybrid Key Encapsulation (KEM) mechanism to protect the process of establishing a secure TLS connection. The innovation will be implemented in Chrome 116, the stable version of which will be available to users from August 15th. [more]

   1. Separately, Google looks at FIDO2 security keys to resist quantum computer attacks. [more]

   2. Google announces new algorithm that makes FIDO encryption safe from quantum computers. [more]

2. Concerns of AI: Amid debates surrounding AI’s potential to attain consciousness and pose existential threats, the genuine peril lies in the depreciation of human thought. While AI automates tasks, concerns arise regarding the potential erosion of creativity and autonomous thinking.[more]

3. Data concern when using AI app: A Netskope study revealed that source code was the most frequently exposed type of sensitive data, with 22 out of 10,000 enterprise users posting source code to ChatGPT per month. In total, those 22 users are responsible for an average of 158 posts containing source code per month. This trend is not entirely unexpected, considering ChatGPT’s ability to review and explain code and pinpoint bugs and security vulnerabilities. While these services are beneficial, sharing confidential source code with ChatGPT introduces risks including potential data breaches, accidental data disclosure, and legal and regulatory risks. [more]

4. OT security: Microsoft researchers have discovered a total of 16 ‘high severity’ vulnerabilities in software used in ICS/OT/SCADA environment i.e. Codesys Control V3 versions prior to 3.5.19.0. These vulnerabilities affected millions of devices as threat actors could exploit them to target programmable logic controllers (PLCs) and other ICS devices using Codesys software, and can be exploited for denial-of-service (DoS) attacks or for remote code execution (RCE). [more]

5. China taming criminals that use emerging tech: Authorities in China have strengthened their resolve to crack down on Web3 and artificial intelligence (AI) crimes following a spike in offenses from both sectors. The authorities noted that bad actors are using generative AI tools to defraud the public while others are using digital currencies to cover the money trail of illicit funds. Chinese authorities confirm a spike in impersonation and phishing scams and malware, such as using Trojan viruses to steal funds. [more]

In Web3 Cryptospace

1. 18 Aug - Optimism-based DeFi Exactly Protocol suffered a bridge exploit as it lost approximately $12 million worth of ETH. [more] [more-2]

   1. Separately, DeFi Habour was attacked and loss digital assets under its stable-mint, as well as stOSMO, LUNA and WMATIC vaults. However, the amount of crypto assets stolen remains unclear, and Harbor is working on tracing funds and estimating the total losses. [more]

2. 15 Aug - Rocketswap, a DEX on the Coinbase native blockchain and Ethereum-based network Base, experienced a crypto exploit and lost over $860k of users’ assets. Thereafter, the attackers proceeded to generate a new token known as “LoveRCKT”. Certik, another prominent security firm, has also confirmed the attack, describing it as a “Private Key Compromise”.  [more]

3. 14 Aug - DeFi platform Zunami Protocol confirmed a price manipulation attack on its “zStables” stablecoin pools on Curve Finance and lost over $2.1 million. The attack is the latest among the list of protocols affected by the recent vulnerability in the popular DeFi platform Curve Finance. [more][more-2]

4. WorldCoin privacy concern: Argentina is the latest country to investigate OpenAI founder Sam Altman's digital identity project and new cryptocurrency WorldCoin. The country's Public Information Access Agency will analyze the processes and practices WorldCoin follows to collect, store and use personal data, the agency said. This follows similar investigations announced in Kenya, France, Germany and the United Kingdom. [more]

5. Unpaid bounties: DeFi Bug Bounty Wall of Shame has noted millions in unpaid bounties. This is likely due to the lack of accountability in DeFi bug bounty programs. [more]

6. Rekt test checklist: One of the biggest challenges for blockchain developers is objectively assessing their security posture and measuring how it progresses. To address this issue, a working group of Web3 security experts, led by Trail of Bits CEO Dan Guido, met earlier this year to create a simple test for profiling the security of blockchain teams. We call it the Rekt Test. [more]

   1. The more an organization can answer “yes” to these questions, the more they can trust the quality of their operations. This is not a definitive checklist for blockchain security teams, but it’s a way to start an informed discussion about important security controls.