Weird ‘null address’ iVest hack, millions of PCs still vulnerable to ‘Sinkclose’ malware: Crypto-Sec

by skolnes


Voiced by Amazon PollyVoiced by Amazon Polly

Crypto scams, hacks and exploits and how to avoid them: Crypto-Sec

DeFI exploits: iVest hit with donation attack

Decentralized Finance protocol iVest Finance was the victim of a $156,000 exploit on Aug. 12, according to a report from blockchain security firm QuillAudits.

Transferring tokens to a null address (0x0) usually causes them to be lost forever. However, in the iVest protocol, transfers to the null address cause a _MakeDonation function to be called, which in turn causes “the sender’s balance [to be] incorrectly reduced by double the intended amount,” QuillAudits reported.

QuillAudits reports iVest attackQuillAudits reports iVest attack
Source: QuillAudits

The attacker repeated these steps over and over again, successfully draining over $156,000 worth of BNB and iVest tokens from the pool, most of which had been deposited by other users.

Quill stated that it would provide more updates as information becomes available. 

On its website, iVest describes itself as a project that combines “SocialFi and DAO governance with unique tokenomics to support our members and create thriving community projects.”

iVest acknowledged the attack through its official Telegram channel. “[U]nfortunately last night a hacker was able to run an exploit and steal some money from the DAO using a mechanism intended for donations,” it stated, adding that it has “identified the exploit and will work with a professional security firm to complete a full audit.”

The team also stated that it will replace the lost funds and resume normal operations once the security audit has been completed.

Malware vulnerability: AMD “Sinkclose” affects millions

Millions of PCs are affected by a vulnerability in AMD processors discovered on Aug. 9, according to a report from Wired. The discovery could be especially concerning for users who run software wallets such as MetaMask, Coinbase Wallet, Trustwallet or others on these devices.

The vulnerability, called “Sinkclose,” allows an attacker to create a “bootkit” that “evades antivirus tools and is potentially invisible to the operating system.” If a user’s device becomes infected with sinkclose-associated malware, it is virtually impossible to remove. Even formatting the hard drive and reinstalling the operating system will not get rid of the malware.

The vulnerability was reportedly discovered by Enrique Nissim and Krzysztof Okupski, researchers for the cybersecurity firm IOActive, and was disclosed at the Defcon hacker conference on Aug. 10.

According to a separate report from Tom’s Hardware, AMD has released mitigation patches for many of the processors affected, and the PCs affected are “flagged to receive an update.” However, some older models will not be patched at all, as they “fall outside of the software support window.” These processors include the “Ryzen 3000 and older processors and Threadripper 2000 and older chips.”

For crypto users, the sinkclose vulnerability could be especially concerning. It implies that if a device with an AMD processor is found to contain malware, formatting the hard drive and reinstalling the OS may not successfully remove it. In this case, a user should consider throwing away the device instead of attempting to “clean” it before installing a wallet. 

For users who only do simple cryptocurrency transfers and do not use Web3 applications, using a hardware wallet may help mitigate the threat of Sinkclose-based malware. However, this is unlikely to help users who use Web3 applications, as these applications usually require users to “blind sign” or trust a PC to display transaction data since the data cannot be displayed on a hardware wallet’s LCD screen.

Given the threat from Sinkclose, users with AMD devices may want to check that their processor or graphics card firmware is updated to the latest version, as the company has announced that the latest patches contain “mitigations” against the vulnerability.

Phish of the week: Web3 gamer loses $69,000 in Tether

A Web3 gamer and memecoin trader lost over $69,000 worth of Tether (USDT) stablecoins from an approval phishing scam on Aug. 9. 

At 10:33 pm UTC, the user approved a malicious account labeled “Fake_Phishing401336” to spend all of their USDT. One minute after this approval, the attacker made two transfers from the victim’s account to other accounts. One of these transfers was for $58,702.42, while the other was for $10,359.25, for a total of $69,061.67.

Blockchain security platform Scam Sniffer detected the transactions and announced the attack on X.

Scam Sniffer reports USDT phishing attackScam Sniffer reports USDT phishing attack
(Scam Sniffer/X)

In the past, the victim has traded Web3 gaming tokens such as Heroes of Mavia (MAVIA) and Immutable X (IMX), as well as memecoins like HarryPotterObamaSonic10Inu, MAGA (TRUMP), and Hemule. Other than these facts, not much is known about the victim.

Token approval phishing scams are a common way for Web3 users to lose their tokens. In such a scam, the attacker tricks the user into visiting a website that contains a malicious app. The app is usually disguised as one that the user trusts, such as a video game, NFT marketplace, or memecoin trading app that the user has visited in the past. But in fact, these apps usually reside at misspelled URLs and are not authorized by the company they are claiming to be made by.

When the user pushes a button on the malicious app, it pushes a token approval transaction to the user’s wallet. If the user confirms this approval, the attacker drains the victim’s wallet of whatever token was approved. In this case, the user lost over $69,000 thanks to the scam.

Web3 users are advised to carefully inspect both the URL and contract address of any website seeking token approval. This can potentially save users from costly losses.

Update 8:40 a.m. UTC on August 13, 2024: This article has been updated to include a comment from the iVest team.

Christopher Roark

Some say he’s a white hat hacker who lives in the black mining hills of Dakota and pretends to be a children’s crossing guard to throw the NSA off the scent. All we know is that Christopher Roark has a pathological desire to hunt down scammers and hackers.

Source Link

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.