Cryptospace/Web3 Spotlight

1. 14 Apr - Crypto exchange Bitrue, located in Singapore, announced that it lost $23 million in digital tokens due to one of its hot wallets being exploited. The loss was noted to be less than 5% of the exchange’s overall funds. Bitrue has since temporarily suspend all withdrawals to conduct security review. [more][more-Bitrue]

2. 13 Apr - DeFi platform Yearn Finance was the target of a complex attack and lost approximately $11.6 million worth of stablecoin. The root cause was a dated version (three years old) of the savings protocol that has a misconfiguration function to mint tokens. [more]

3. 12 Apr - Metaverse platform MetaPoint was hacked and lost nearly $1 million worth of digital tokens. The attacker had since transferred the digital tokens to Tornado Cash. According to a security analysis, the problem is that this contract has a feature called "approve" that gives the caller access to $META tokens without any restrictions.[more]

4. 10 Apr - DeFi platform Terraport Finance revealed that its liquidity wallet was hacked resulting in $2 million worth of digital asset being drained. [more]

   1. Terraport Finance was created to rebuild the Terra Luna Classic ecosystem by increasing the Luna Classic (LUNC) burn rate.

5. 10 Apr - South Korean’s Crypto exchange GDAC’s hot wallet was hacked for nearly $13 million worth of digital tokens (approximately 23% of its total custodial assets). The attacker had since transferred the digital tokens to an unidentified wallet. [more][more-GDAC]

6. 9 Apr - DeFi exchange Sushiswap’s newly deployed smart contract was exploited by attacker and lost $3.3 million worth of ETH. This is due to the lack of parameter validation in the new contract when performing trade routing. [more][more-sushiswap][more-securityanalysis]

EmergingTech Spotlight

1. ChatGPT bug bounty: Open AI announced the launch of a bug bounty program (run by crowdsourced cybersecurity company Bugcrowd) to help address its cybersecurity risk. [more]

2. ChatGPT data loss: Samsung's semiconductor division staff leaked secret info to ChatGPT on at least three occasions after they were allowed to use it. [more]

   1. One employee reportedly asked the chatbot to check sensitive database source code for errors,

   2. another solicited code optimization and

   3. the third staff uploaded a recorded meeting into ChatGPT and asked it to generate minutes.

3. AI regulation: The Biden administration noted that it is seeking public comments on potential accountability measures for AI systems as questions loom about its impact on national security and education. [more]

4. AI advasary: It was noted that with the help of AI, one may be able to compromise 51% of passwords in under one minute and 71% of passwords cracked in less than a day. [more]

   1. The reason AI is making such a difference in password cracking is that instead of having to run manual password analysis on leaked password databases, PassGAN is able to “autonomously learn the distribution of real passwords from actual password leaks.”

5. Extended IoT security: Extended IoT devices (xIoT) are cyberattackers’ favorite when seeking to move laterally and establish persistence within enterprise networks. [more]

6. Carjacking through ‘smart’ headlights: It was noted that keyless car theft could be done through your car’s headlight module. The reason thieves have chosen this point of entry is because it offers them the easiest way to get hooked into a vehicle’s CAN bus system to impersonate the smart key ECU to start the car. [more][more-technicalanalysis]

   1. The CAN bus system of a vehicle is the method by which the numerous engine control modules (ECUs) throughout a modern vehicle communicate with each other.