Cryptohack Roundup: Thieves Return Stolen FundsAlso: A $25M MEV Bot Attack and Crypto-Stealing Malware
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. Between March 31 and April 6, hackers returned millions of dollars in cryptocurrency they had stolen from Sentiment, Allbridge and Euler Finance; a rogue validator front ran an MEV bot attack to steal $25 million; bad actors used a new strain of malware that can get past multifactor authentication to steal cryptocurrency, and the BNB Chain said it will upgrade to better security.
Continuing the trend of hackers who steal and return funds from decentralized finance platforms for a "white hat bounty," a hacker returned 90% of the $1 million stolen from Sentiment, according to a Tuesday statement from the lending platform. The hacker, in a reentrancy attack, exploited a bug on the Sentiment smart contract on the Arbitrum blockchain to repeatedly drain funds before the company plugged the hole. The company earlier offered the hacker $95,000 and no legal repercussions for the return of the money by Thursday.
A hacker returned assets worth $465,000 stolen from Allbridge, taking up the multichain token bridge's offer of a white hat bounty and no legal proceedings. The compensation plan came into place after the hacker drained $573,000 by manipulating Allbridge's swap price function. Allbridge asked a second hacker, who also manipulated the swap price function to steal funds, to reach out to the company, as well.
Euler Finance Update
The Euler Finance hacker "did the right thing" and returned "all of the recoverable funds" stolen in the $196 million hack on March 13, the lending protocol's Tuesday tweet said. The company also detailed its redemption plans for the funds stolen in the flash loan attack.
MEV Bot Attack
An entity that verifies transactions on a blockchain and adds them to the digital ledger, called a validator, went rogue on Sunday and stole $25.3 million from Ethereum by exploiting a scam run by bots that scan for unconfirmed transactions.
The MEV - or maximum extractable value - bots monitor the blockchain for unconfirmed transactions to carry out "sandwich attacks," CertiK told ISMG. They "sandwich" a user's transactions by placing one transaction before the original transaction and one after, similar to front running, in which a sophisticated actor sees the initial trade before it can be confirmed and acts to profit from it.
"The difference with a sandwich attack is that the MEV bot sells back all their assets after having used the user’s initial transaction to push the price higher, increasing profit," CertiK said. In this case, a malicious validator forced a series of transactions into the block to steal funds the bot planned to gain by front running, OtterSec explained.
Hackers are using a new strain of malware dubbed Rilide that's disguised as a legitimate Google Drive extension on Chromium-based browsers to steal cryptocurrency, Trustwave said. Thieves gain access to the victims' systems and monitor the users' browsing history, take screenshots and inject malicious scripts to withdraw funds. The malware deceives users into revealing their two-factor authentication details and withdraws cryptocurrency in the background.
BNB Chain is set to upgrade its network on Wednesday to boost the security and interoperability of the blockchains that form the BNB Chain network - the Beacon Chain and Smart Chain. The upgrade, dubbed Planck, will also migrate the network from the vulnerable IAVL proof verification - which hackers exploited in a multimillion-dollar hack in 2022 - to the ICS23 specification bridge security mechanism. Also called a hard fork, the upgrade seeks to ward off potential attacks with a new timer-lock mechanism for large cross-chain fund transfers and to allow automatic pausing of cross-chain channels during cybersecurity emergencies.
Tornado Cash Update
Six plaintiffs, backed by Coinbase, on Wednesday filed a motion for summary judgment in the U.S. District Court for the Western District of Texas, Austin Division, seeking a permanent injunction against the U.S. Department of Treasury sanctions against Tornado Cash. Plaintiffs contend the government overreached its powers in this case, saying the government should not be allowed to sanction software such as Tornado Cash since it is "not a foreign national or person." Neither is it a sanctionable property, since "no one can alter, delete or otherwise control the 20 smart contracts at the core of the TC software. They function w/o human control," said Paul Grewal, chief legal officer at Coinbase.
Coinbase Insider Trading Case Update
The U.S. Securities and Exchange Commission said it reached an in-principle agreement with Ishan Wahi, a former product manager at Coinbase accused of insider trading, to "resolve all of the SEC’s claims in this matter." In the Monday court filing, the agency said it is also in "good faith discussions" with currently imprisoned Nikhil Wahi. The Wahi brothers and their associate Sameer Ramani allegedly used confidential information from Coinbase to make more than $1 million.