Cryptospace Spotlight

1. 13 Mar - DeFi Euler Labs (Euler Finance) has been exploited for $197 million by an attacker through flash loan attack with 100ETH sent to Ronin Bridge exploiter. After failing to secure the return of fund with 10% of exploited fund as bounty reward, Euler Labs has offered a $1 million reward to anyone who can provide information that could lead to the retrieval of the stolen funds and the attacker’s arrest.[more][more-2]

   1. According to a google document shared by Blocksec, the attacker stole a bag of tokens consisted of DAI, USDC, WBTC and stETH.[more]

   2. On 17 Mar, the attacker sent 100 Ethereum (ETH) — approx. $170,468 — to the Ronin Bridge exploiter wallet. This has led to the community wondering if the transaction showed that the two attackers were the same person or if the transfer was intentional. [more]

   3. The Euler Labs CEO Michael Bentley said the DeFi protocol has always been a security-minded project, adding that its smart contracts, including the vulnerable lines of code, were audited. [more][more-EulerLabs]

      

2. Analysis of Euler Finance attack. Several investigative and DeFi related outlets have performed analysis of the Euler Finance attack. One noted that the attack correlates with the deflation attack one month ago. The attacker used a multichain bridge to transfer the funds from the BNB Smart Chain (BSC) to Ethereum and launched the attack today. Another noted that said that the movement of funds and the nature of the attack seems quite similar to black hats that exploited a BSC-based protocol last month. [more][more-2]

   1. Several DeFi projects were also affected by this attack. [more]

      1. Angle Protocol (over $17M of agEUR collateral, ANGLE down over 50%)

      2. Balancer ($11.9M of bbeUSD)

      3. Temple DAO ($5M, TEMPLE down 30%)

      4. Idle DAO (~$5M)

      5. Swissborg ($2.6M in ETH and $1.7M of USDT)

      6. Yield Protocol ($1.5M)

      7. Yearn ($1.38M of indirect exposure, losses to be covered by Treasury)

      8. Inverse Finance ($800k)

      9. And others

3. DeFi platform ParaSpace experienced an attempted exploit that put $5 million at risk. ParaSpace managed to pause its protocol and identify the cause of the exploit with all user funds, including NFTs safeguarded. [more]

   1. ParaSpace lost 50 to 150 ETH (less than $270,000) due to price slippage during the attack and the recovery. ParaSpace said it will cover those protocol losses. Furthermore, it said that it will provide a 5% bounty to BlockSec, which informed it of the issue.

4. Massive vulnerabilities were noted in top blockchains such as Dogecoin, Litecoin, and Zcash, putting about $25 billion of assets at risk. [more]

   1. The most critical vulnerability affected peer-to-peer communications, allowing attackers to craft malicious consensus messages to nodes and cause them to shut down, exposing the network to attacks, which could affect over $25 billion of assets. In total, cybersecurity firm Halborn identified over 280 vulnerable blockchains.

5. 4 out of 10 NFT sales were likely fake. This is known as NFT wash trading, and it inflates the volume on some platforms by 10x–20x the legitimate volume. [more]

   1. Wash trading in crypto is an offshoot of those early practices, whereby individuals or colluding parties buy and sell a particular financial asset among themselves to create the perception of higher trading volumes or liquidity. Exchanges and projects do it mainly to make themselves look more popular. 

Techrisk Select

1. Cloud Risk: With governments and businesses spending last two decades rushing to the cloud — trusting some of their most sensitive data to tech giants, the White House worried that the cloud is becoming a huge security vulnerability. It is embarking on the nation’s first comprehensive plan to regulate the security practices of cloud providers like Amazon, Microsoft, Google and Oracle, whose servers provide data storage and computing power for customers ranging from mom-and-pop businesses to the Pentagon and CIA. [more]

2. AI Usage: Cybersecurity professional suggests that security teams can use GPT-3 to help defend against cyber attacks, despite GPT-3 and (the new 571X more powerful) GPT-4 are currently the potential tool to generate malware and ransomware code. [more]

   1. For example, Sophos researchers — including Sophos AI’s principal data scientist Younghoo Lee — used GPT-3’s large language models to develop a natural language query interface for searching for malicious activity across XDR security tool telemetry, detect spam emails and analyze potential covert “living off the land” binary command lines. 

3. AI Safety: With these fears present in the AI community (that AI will do things that go against human interests), OpenAI granted the group Alignment Research Center (ARC) early access to multiple versions of the GPT-4 model to conduct some tests. Specifically, ARC evaluated GPT-4's ability to make high-level plans, set up copies of itself, acquire resources, hide itself on a server, and conduct phishing attacks. [more]

   1. While ARC wasn't able to get GPT-4 to exert its will on the global financial system or to replicate itself, it was able to get GPT-4 to hire a human worker on TaskRabbit (an online labor marketplace) to defeat a CAPTCHA. During the exercise, when the worker questioned if GPT-4 was a robot, the model "reasoned" internally that it should not reveal its true identity and made up an excuse about having a vision impairment. The human worker then solved the CAPTCHA for GPT-4.

4. Security Framework: When using security or risk framework, it might be counter-productive if the organisation blindly follow one, endlessly searching for a better one, or even confusing a framework tool for its outcomes. This can distract the organisation from understanding and addressing the true risks it faces. To be clear, security frameworks can be very helpful when used correctly. [more]

TRG Learn

• How to get started with code review? [more]