Verichains Weekly Security Digest | March 2023 Week 2
In this week's digest, Verichains released another Security Advisory VSA-2022-101. We will also be discussing the potential impacts on the crypto industry in the wake of the calamitous collapse of three crypto-friendly banks. In incident news, four significant hacks were monitored with losses in the millions.
Verichains Security Advisory
As a follow-up to our previous public Security Advisories releases VSA-2022-100, we are now releasing VSA-2022-101 From Nil to Spoof - Critical IAVL Spoofing Attack via Multiple Vulnerabilities.
A critical vulnerability in BNB Chain and Tendermint Core library, allows a hacker to carry out attacks similar to the 2 million BNB hack (equivalent to 600 million USD) last October on the BNB Bridge.
We advise projects that are still using the Tendermint Core / Cosmos-SDK to reach out to Verichains and secure your project via info@verichain.io.
Read the full Security Advisory here:
The Silver Lining
In what seems like a calamitous whirlwind, Silicon Valley Bank (SVB) and Silvergate both collapsed during the weekend, to prevent further contagion within the banking industry, US regulators had also shut down Signature Bank, making it the third crypto-friendly bank to close shop.
Amid the market turmoil, Verichains remains optimistic. We believe in the ingenuity of the crypto industry to innovate and adapt in the face of adversity. The industry will likely turn to alternative solutions such as decentralized exchanges (DEXs), Peer-to-peer (P2P) trading platforms, the creation of new crypto-friendly banks, and perhaps the deployment and adoption of a US Central Bank Digital Currency (CBDC).
Check out our co-founder - Thanh Nguyen’s comment which was featured on Business Insider here: https://markets.businessinsider.com/news/currencies/crypto-market-outlook-banking-crisis-expert-forecasts-svb-signature-silvergate-2023-3
Last Week’s Incidents
🚨Project: Tender Finance
⛓️Chain: Arbitrum
💥Type: Misconfiguration
💸Loss amount: $1.59 million
On the morning of March 7th, the customer of @tender_fi was greeted with the cataclysmic news that they were investigating an incident and will be pausing further borrowing.
Lo and behold, they were hacked to the tune of $1.59 million by a vulnerability found in a new oracle that Tenderfi had set up on March 6th to provide the price of GMX.
The contract for the oracle apparently included a function called "getUnderlyingPrice" which contained a vulnerability that allowed the price of GMX to be multiplied by a factor of 1e20 (that is 20 zeroes).
In a surprising turn of events, the hacker in question happens to be a White Hat and had struck an agreement with the project to return all funds and keep 62.158670296 ETH (roughly 80k) as a bounty for discovering the exploit.
🚨Project: Phoenix Finance
⛓️Chain: Polygon
💥Type: Access Control & Arbitrary External Call
💸Loss amount:$100,000
A DeFi platform called Phoenix Finance suffered a $100,000 loss last week where a feature in PhxProxy lacks access control and can be passed in any parameter. The attacker created a disposable OTP token and trigger PhxProxy, swapping it for profit.
🚨Project: DKP Token
⛓️Chain: BSC
💥Type: Price Manipulation
💸Loss amount: $80,000
A vulnerability was found and exploited in the swap mechanism of a token called DKP between it and USDT on PancakeSwap. The attacker was able to exploit this vulnerability to their advantage and made a gain of $80k. It is unclear exactly how they manipulated the ratio, but it is likely that they used some kind of arbitrage or market manipulation through the use of Flashloans.
🚨Project: Kashi
⛓️Chain: Ethereum
💥Type: Oracle Manipulation
💸Loss amount: $27,000
The root cause of the issue is price Oracle was not updated during the borrow action. Consequently, the attacker carried out a liquidation to update the price Oracle, resulting in the refund of the collateral and repayment of a lower asset value than required.