Verichains Weekly Security Digest | March 2023 Week 1
Verichains officially launched our Security Advisories, reporting on Layer-1 blockchain security vulnerabilities to promote a safer and more secure blockchain and web3 ecosystem for all users. Last week, in incident news, the DeFi space continues to hemorrhage cash with 3 notable hacks accumulating over $5 million in losses.
Verichains Security Advisories
Verichains is excited to introduce our Security Advisories, designed to help companies identify and address vulnerabilities in their systems and networks before they can be exploited by malicious actors. This advisory is crucial for companies to maintain the security and integrity of their data and systems.
Verichains strictly adhere to our vulnerability disclosure policy. This process ensures that any vulnerabilities discovered during our assessment are disclosed responsibly to the affected party, allowing them to take the necessary steps to remediate the issue before it can be exploited by attackers. Taking this critical step will minimize the risk of catastrophic loss and business disruption.
Verichains Security Research team regularly posts security flaws and vulnerabilities identified during research and testing on our Security Advisories page here: https://www.verichains.io/security-advisories/
Security Advisory 1: Tendermint - Forging Membership Proof of Empty Merkle Tree Vulnerability in IAVL Proof
Verichains discovered a critical vulnerability in Tendermint Core library that could have enabled attackers to steal assets from projects using its IAVL proof verification, such as BNB Chain.
Although Tendermint/Cosmos maintainers were notified, they chose not to release a patch in the Tendermint library as IBC and Cosmos-SDK implementation had migrated to ICS-23 from IAVL merkle proof verification.
Verichains believes that the bug should still be fixed in the Tendermint library, and therefore, released the advisory to the public after waiting for 120 days following their vulnerability disclosure policy.
Read the full Security Advisory here:
Last Week’s Incidents:
🚨Project: Shata Capital
⛓️Chain: Ethereum
💥Type: Storage Collision
💸Loss amount: $5.14 million
Known to be last week's largest loss, Shata Capital was exploited for $5.14 million, and it stings, even more, to know that the hacker only spent 0.1 ETH to do so. The attacker deposited 0.1 ETH into EFVault to gain a certain amount of shares, which was then upgraded by the owner. However, the upgrade did not properly initialize new variables and did not account for the data storage structure of the old (un-upgraded) version, allowing the attacker to set a variable much higher than expected and steal USD from the contract.
🚨Project: LaunchZone
⛓️Chain: BSC
💥Type: Access Control
💸Loss amount: $88,000
Yet another DeFi project was struck with an $88,000 hack last week. LaunchZone was exploited when attacker used a security flaw in unverified Contract X to manipulate LZ Token price on Biswap and swap 9.8T LZ for nearly 88k BUSD on PancakeSwap by exploiting "transferfrom()" function from any address. Noticing one of our former client was hacked, Verichains quickly jumped into action, conducted an investigation and sent detailed information and analysis of the incident to the LaunchZone team to fix and mitigate further damages.
You can read out write up here:
🚨Project: Alexa
⛓️Chain: BSC
💥Type: Business Logic Flaw
💸Loss amount: $13,171
Why do you need to audit your contract for business logic errors? Because it can be very costly, as in $13,171 in the case of Alexa, a DeFi project. The bug in the Alexa token contract occurred because of the mishandling of token transfer logic. The issue arises when both the sender and the recipient are a Pancake-pair, which results in the transfer amount being added twice for the recipient. An attacker exploited this bug by transferring Alexa tokens to the Alexa-WBNB pair and repeatedly triggering the vulnerability by calling the 'pair.skim(pair)' function. This allowed the attacker to exploit the flawed logic and drain the Alexa token pool from the pair.