Cryptospace Spotlight

1. 10 Mar - Smart Contract Service code of the Hedera mainnet was exploited by attackers. As a result, Hedera Token Service tokens held by victims’ accounts were drained to attackers’ account. [more][more-2][more-Hedera]

   1. The ongoing exploit has targeted the decompilation process in the Hedera network. In addition, bridged tokens have been frozen by Hashport, the enterprise-grade public utility that facilitates the movement of digital assets between distributed networks. [more]

2. 7 Mar - DeFi Protocol Tender.fi was drained $1.59M worth of tokens after an attacker exploited the protocol oracle by depositing only one GMX token (worth $71). [more][more-Tender.fi]

   1. Tender.fi managed to get a “white-hat” deal with the attacker for a ug bounty reward of 62.15 ETH worth $850,000 instead. The rest of the tokens were returned to Tender.fi. [more]

3. 5 Mar - Decentralized exchange Algodex has revealed a malicious actor infiltrated a company wallet on March 5 in what “appears to be similar to what is currently happening in the Algorand ecosystem”.[more][more-Algodex]

4. According to Multi-Party Computation (MPC) wallet developer Safeheron, some multisignature (multisig) wallets can be exploited by Web3 apps that use the StarkEx protocol. The vulnerability affects MPC wallets that interact with StarkEx apps such as dYdX. Safeheron is working with app developers to patch the vulnerability. [more][more-Safeheron_press][more-wallet_reference]

   1. Certain multisignature (multisig) wallets can be exploited by Web3 apps that use the StarkEx protocol, according to a March 9 press release provided to Cointelegraph by Multi-Party Computation (MPC) wallet developer Safeheron. The vulnerability affects MPC wallets that interact with StarkEx apps such as dYdX. According to the press release, Safeheron is working with app developers to patch the vulnerability.

5. Crypto exchanges Coinbase and Binance suspended USDC Conversions after Circle disclosed $3.3 billion worth of the cash backing USDC were locked in Silicon Valley Bank. [more]

   1. Silicon Valley Bank collapses after failing to raise capital. [more]

6. In a recent tweet, on-chain detective ZachXBT said he was ending community requests for help with crypto scams, adding that he’s done more than his fair share in rooting out the actions of bad actors. [more]

   1. “It has been a nice ride the past 22+ months and I’ve been more than generous with my time. Some of you forget I am a volunteer.“

Techwatch Select

1. Employees were noted to submit sensitive business data and privacy-protected information to large language models (LLMs) such as ChatGPT. This has heighten concerns that artificial intelligence (AI) services could be incorporating the data into their models, and that information could be retrieved at a later date if proper data security isn't in place for the service. [more]

   1. In one case, an executive cut and pasted the firm's 2023 strategy document into ChatGPT and asked it to create a PowerPoint deck. In a separate case, a doctor input his patient's name and their medical condition and asked ChatGPT to craft a letter to the patient's insurance company.

2. A new paper from the University of California Berkeley reveals that privacy may be impossible in the metaverse without innovative new safeguards to protect users. [more][more-paper]

3. Bitwarden's credentials autofill feature contains a risky behavior that could allow malicious iframes embedded in trusted websites to steal people's credentials and send them to an attacker. The issue was reported by analysts at Flashpoint, who said Bitwarden first learned of the problem in 2018 but chose to allow it to accommodate legitimate sites that use iframes. [more]

   1. Bitwarden noted that "Bitwarden accepts iframe auto filling because many popular websites use this model, for example icloud.com uses an iframe from apple.com” and "The feature described for autofill in the blog post is NOT enabled by default in Bitwarden and there is a warning message on that feature for exactly this reason within the product, and within the help documentation.” [more]

4. Research noted the increased in API related attacks and vulnerabilities in 2022, and predicted the increase in 2023. Organisations using APIs should stay vigilant when using or hosting APIs in their environment. [more]

TRG Learn

• What is Oracle (in the cryptospace)? [more]