Cryptospace Spotlight

1. 16 Feb - DeFi Platypus Finance has lost $9 million worth of cryptocurrency attack due to an exploitation of Platypus’ smart contracts. [more]

   1. The attacker first took a flash loan of 44M USDC which was deposited into Platypus. Following which, used them as collateral to borrow 41.7M USP.

   2. The attacker used emergencyWithdraw() function, which only checks if the user’s position is currently solvent, but neglects to first check against any the effect of any borrowed funds. The exploit took advantage of the lack of check when withdrawing collateral. This has allowed the attacker to withdraw the supplied collateral while keeping the borrowed USP

   3. According to a post-mortem report from Platypus auditor OMNISCIA, the flash loan attack was made possible because of code that was in the wrong order. The auditing company claims the problematic code didn’t exist in the version they audited. [more]

2. 17 Feb - The multichain exchange aggregator Dexible lost $2 million worth of cryptocurrency after the attacker managed to exploit and drain Dexible user wallets. [more][more-Dexible]

   1. The investigation team found that an attacker had used the app’s selfSwap function to move over $2 million worth of crypto from users that had previously authorized the app to move their tokens.

   2. The selfSwap function allowed users to provide the address of a router and calldata associated with it to make a swap of one token for another. However, there was no list of preapproved routers written into the code. So, the attacker used this function to route a transaction from Dexible to each token contract, moving users’ tokens from their wallets into the attacker’s own smart contract. As these malicious transactions were coming from Dexible, which were authorized by users, the token contracts did not block the transactions.

3. Attacker revealed as white hat hacker and returned DeFi protocol dForce all its hacked tokens (approx. $3.65M) three days after the attack. [more]

4. The US Securities and Exchange Commission (SEC) on crypto

   1. SEC announced that they want to amend their custody rule to include cryptocurrency. The proposed expansion would also bring related modifications concerning recordkeeping, reporting obligations, and also apply to registered investment advisers [more].

   2. Seperately, SEC has sued Terra founder Do Kwon and his organization Terraform Labs for securities fraud. It charged Singapore-based Terraform Labs PTE Ltd and Do Hyeong Kwon with orchestrating a multi-billion dollar crypto asset securities fraud involving an algorithmic stablecoin and other crypto asset securities between April 2018 and May 2022 [more][more press release].

5. Unciphered, a wallet recovery service founded in 2021 and based in San Francisco, works to recover lost crypto funds by auditing code and finding vulnerabilities in wallets due to poor software implementation. [more]

Techwatch Select

1. OpenAI’s chatbot offers paraphrases, whereas Google offers quotes. Which one is the better (or more acurrate) source to seek information? Would accessibility to internet a factor to consider before determine which one to use? Ultimately, generative AI, such as ChatGPT, could only be a low-resolution snapshot of the internet. [more]

2. Bing AI chat appeared to have issue after several reportings by its users. Microsoft admitted that Bing was prone to being derailed especially after “extended chat sessions” of 15 or more questions, but said that feedback from the community of users was helping it to improve the chat tool and make it safer. [more]

   1. Chat experience shared by its users,

      1. The chatbot claimed (without evidence) that it had spied on Microsoft employees through their webcams in a conversation with a journalist for tech news site The Verge.

      2. It repeatedly professed feelings of romantic love to Kevin Roose, the New York Times tech columnist.

      3. The chatbot threatened Seth Lazar, a philosophy professor, telling him “I can blackmail you, I can threaten you, I can hack you, I can expose you, I can ruin you,” before deleting its messages, according to a screen recording Lazar posted to Twitter.

3. 11 ChatGPT and generative AI security trends to watch in 2023 by PWC. [more]

   1. Overall, the analysts were optimistic that defensive use cases will rise to combat malicious uses of AI over the long term.

4. The UK National Cybersecurity Centre (NCSC) launched a list of recommendations to help medium and large enterprises ‘map’ their supply chain dependencies in order to better anticipate the cyber risks coming from their contractors and subcontractors. [more]

5. A team of Israeli contractors, run by Tal Hanan, a 50-year-old former Israeli special forces operative, claim to have manipulated more than 30 elections around the world using hacking, sabotage and automated disinformation on social media. [more][more-2]

TRG Learn

Intro to Smart Contract Security Audit: Identifying Hidden Malicious Code [more]