Web3 Cryptospace Spotlight

1. Europe’s MiCA (Markets in Crypto Assets regulation) crypto regulations get final approval. And the regulation will take effect in 2024.[more]

2. 15 Apr - Multi-chain DeFi protocol Hundred Finance has suffered an exploit on the layer-2 scaling network and lost approximately $7 million worth of digital tokens. The attacker manipulated the exchange rate between ERC-20 tokens and htokens which allowed them to withdraw more tokens than they had originally deposited.[more][more-securityanalysis][more-securityanalysis2]

3. 18 Apr - It was noted that there was a targeted attack on OG crypto users and had stolen more than 5,000 in ETH (est. $10.4M) from their wallets since December. The security team behind popular crypto wallet MetaMask indicated that the “unidentified exploit” hit crypto users “including, but not limited, to MetaMask users”. The more puzzling piece was that cold wallets were attacked as well. [more]

   1. Based on preliminary indication, the community noted that “the on-chain behavior heavily suggests a private key compromise”, and

      “what current investigations are showing is that it seems that this specific attack vector is pointing towards these users’ secret recovery phrases being compromised somewhere down the line, likely due to unintentionally insecure storage of said phrase”.  

4. 20 Apr - After negotiation, among the $9 million digital tokens stolen Safemoon attacker stolen in late March, the attacker will get to keep 20%. The attacker has since returned $7.2 million worth of digital tokens in two transactions to Safemoon’s treasury wallet. [more]

5. Near-missed event: Developer of the Kyberswap Elastic decentralized crypto exchange requested all liquidity providers to remove their funds as soon as possible after identify a potential vulnerability in the exchange’s contracts. No fund was lost. [more]

6. Security Practice: Web3 security firm Slowmist shared recommended security practices for Web3 project development. [more]

EmergingTech Spotlight

1. Cloud Risk:

   1. A study noted that “attackers can access 70% of critical assets in on-prem networks in just 3 steps”. And “it’s even worse in the cloud, where 90% of critical assets are just one hop away from initial compromise”. [more]

   2. Named GhostToken, Google has addressed a Cloud Platform (GCP) security vulnerability impacting all users and allowing attackers to backdoor their accounts using malicious OAuth applications installed from the Google Marketplace or third-party providers. [more]

2. Cloud Adversary: In Google's April 2023 Threat Horizons Report, security researchers in its Threat Analysis Group (TAG) revealed that APT41 was abusing the GC2 (Google Command and Control)red teaming tool in attacks. [more]

3. FTC chair and fellow commissioners warned House representatives of the potential for modern AI technologies, like ChatGPT, to be used to “turbocharge” fraud. [more]

4. U.S. Homeland Security Secretary Alejandro Mayorkas said that the agency would create a task force to figure out how to use artificial intelligence to do everything from protecting critical infrastructure to screening cargo to ferret out products made with slave labor. [more]

5. China release draft measures to regulate Generative AI. [more]