E21 - Gala Games Attacked By A Whitehat & 50K BTC Silkroad Hacker Pleads Guilty

Show Notes--->https://wolfdefi.com/i-degen/e22-ethereum-merge-security-with-david-theodore/

Full show notes --> https://wolfdefi.com/i-degen/e21-gala-games-gets-owned-by-a-whitehat/

Full show notes --> https://wolfdefi.com/i-degen/e20-team-finance-hacked-profanity-hacks-continue/

Full Show notes can be found here. 

Be on the lookout for a new I, Degen Sequence on Zeevo in the next few days 😉

Stay up, fren.  

Full show notes on -->WolfDeFi.com 💀 

---> Full show notes on HackMD  <---

I, Degen - E17: OPSEC at DEVCON 6 - 10/06/2022

Listen at: idegen.fm

Contact us: @idegenfm

Intro

Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.

Episode Summary

This week we’ll do our usual weekly review of crypto security-related topics. We’re going to dig into the issue of conference OPSEC, or operational security, as we’re less than a week out from Ethereum’s flagship developer conference, and rumors swirl about security concerns in Bogota.

I,Degen - Weekly Review

1. Sunday, October 2nd - Transit Swap Users Rocked for 21M
2. Transit Swap has lost $21M to a vulnerability which allowed an unknown attacker to drain the wallets of users who had approved the protocol’s swap contracts.
3. Leading up to Ethereum’s flagship developer conference being held in Bogota, Columbia next week, a wave of Tweets and some articles surfaced questioning the safety of conference goers. FUD or legit concern? Well dig more into this on deep dive in a few minutes.
4. Office of the National Cyber Director Requests Your Insight and Expertise on Cyber Workforce, Training, and Education
5. Our Nation continues to face a significant shortfall in cyber talent, with estimates of approximately 700,000 open positions.
6. October 1st, 2022 - No Digital Dollar Act Introduced - From Bitcoin.com
7. U.S. Senator James Lankford (R-OK) announced Thursday that he has introduced a bill titled “No Digital Dollar Act to prohibit the U.S. Treasury and the Federal Reserve from interfering with Americans using paper currency if a digital currency is adopted and makes certain individuals can maintain privacy over their transactions using cash and coins.”
8. October 4th, 2022 From Axios- Why Kim Kardashian got fined and Matt Damon didn’t
9. Kim Kardashian was fined $1.26 million Monday for touting crypto schemes — even as much more high-profile pitches from the likes of Matt Damon and Larry David have gone unpunished. The seeming double standard is a function of a subtle yet crucial distinction in securities law.
10. Where Kardashian crossed the line was when she endorsed a crypto asset security.
11. How it works: If you’re endorsing a company, the only rules that apply are the relatively lax ones from the FTC.
12. If you’re shilling a security, then disclosing that you were paid — as Kardashian did with an #AD hashtag — is not enough; you also need to disclose how much you were paid.
13. The bottom line: If you’re going to tout crypto, tout a crypto company, not a coin.

Moving on… Usually, we focus on looking back at crypto security-related events of the previous week. I thought maybe we could also highlight any relevant upcoming events each week.

I, Degen - Looking Forward

1. Devcon next week - There will be a keynote talk on the Nomad Bridge Hack. I think there will be a live stream if you are not attending.
2. November 15th, PyChain - The First Virtual Event for Python and Blockchain Developers
   • Call for speakers is open
   • Free Tickets

I, Degen - Deep Dive

A wave of Tweets and some articles surfaced questioning the safety of conferencegoers leading up to Ethereum’s flagship developer conference in Bogota, Columbia, next week.

Veteran Devcon attendees will remember a similar panic from previous events, including Devcon III in Cancun, Mexico, where

Is this FUD or a legit concern? Let’s dig in.

Question: Is this a credible threat, in which there is a concentrated effort to target Devcon attendees, or is this FUD?

If we follow the Tweets, the picture is unclear.

This year Devcon security panic seems to have started with news outlets picking up a tweet from crypto_mackenna.

However, it’s worth note the article in question doesn’t mention Crypto_McKenna follow-up Tweet reply on that same day which balances the original Tweet.

Also, some sensational crypto influencer tweets that we’ll ignore. Mainly because they are purely opinion based, don’t provide any credible evidence of a threat, and are likely just ego-feeding clout farmers. I mention them because it is essential to understand and acknowledge that they play into the overall perception and conversation, even if they hold little substance and merit.

Staying safe at Devcon in Bogota Twitter threads:

- @lililashka

-@camiinthisthang

Good OPSEC at conferences in general

While those are important and contain good information relevant to staying safe in Bogota, I thought it might be helpful to dig deeper and tap into the wealth of existing information on conference OPSEC.

OPSEC for Defcon #1 from Darkangle.net

ZW: What is the personal threat model? Most crypto people don’t need to defend against nation states.

1. Maintaining custody of your devices is a sound defense from parties that would seek to make modifications to your equipment or outright steal your hardware. This means of security only requires you to make sure you know where your stuff is, and whose handl...

Listen at: idegen.fm

Contact us: @idegenfm

Intro

Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.

Episode Summary

This week we discuss the draft of the US House’s Stablecoin bill. CFTC’s 250k fine for BzX & the Ooki DAO. We talk about the 0xBAD MEV bot getting owned, and we dig into the recent paper on reversible ERC20 and ERC721 transactions.

I, Degen - Weekly

1. 9/20/2022 - From CryptoBreifing - US House proposes stablecoin bill that would put a two-year ban on algorithmic stable coins

• U.S. lawmakers are reportedly drafting a bill to place a two-year ban on certain stablecoins.
• The House Stablecoin Bill would target “endogenously collateralized stablecoins.”
• The bill would allow both banks and non-banks to issue stablecoins. However, bank issuers would need approval from federal regulators such as the OCC. As for non-bank issuers, the legislation directs the Federal Reserve to establish a process for making application decisions.
• The House Stablecoin Bill would make it illegal to issue or create new stablecoins that mimic the functionality and features of TerraUSD

NOTE: This is an early draft, not final so take it for what it is.

1. 2M in assets seized from Whitby, Ont Man 

• Aiden Pleterski, who calls himself “Crypto King,” had $2 million of assets seized, Lamborghini, two McLarens, and two BMWs
• Pleterski was reportedly given $35 million by 140 investors.
• Now, he’s being sued by former investors in a bankruptcy proceeding and two civil lawsuits.
• Investors told the publication that at least $35 million given to Pleterski’s company, AP Private Equity Limited, went missing.
• No criminal charges yet

1. 9/22/2022 - CFTC Press Release
2. By transferring control to a DAO, bZeroX’s founders touted to bZeroX community members the operations would be enforcement-proof—allowing the Ooki DAO to violate the CEA and CFTC regulations with impunity, as alleged in the federal court action.
    –> CFTC Penalizes Blockchain Protocol $250K, Files Action Against Successor DAO
   9/27/2022 - Coindesk The CFTC Served Ooki DAO Papers by Posting Them in an Online Discussion Forum
   Members of Ooki DAO – which operates a protocol that offers illegal, off-exchange tokenized margin trading and lending services – were notified of the lawsuit when a CFTC paralegal posted the complaint and other documents to an online discussion forum meant for DAO members to discuss governance issues, a CFTC attorney claimed in a court filing. The documents were simultaneously submitted through a help chat box on the DAO’s website.
   
   –>coindesk
3. Terra Luna Saga Continues --> Interpool issues arrest warrant for Do Kwon
4. Reddit user claims Gemini shut down their account because the interacted with Wasabi BTC Mixer
5. Lazarus Hacker Group targets MacOS users with fake crypto.com jobs postings
6. China busts ring of 93 people for allegedly laundering more than 5B
   • 9.15 Gang
   • 4 years of operation
   • The group, in operation since 2018, also facilitated the cashing of illicit funds from fraud, gambling, and other crypto-related activities into U.S. dollar to eliminate traces of illegality.
7. Binance launches Global Law Enforcement Training Program to help LE fight cyber crime
8. 0xBAD MEV Bot gets owned

I, Degen - Deep Dive

Tracking separate doc with notes for ERC20R stuff here

I, Degen - Freestyle Convo

Dear Redditors: If you torture the data long enough, they will confess anything

First Chess, now Poker…

I, Degen - Hack Attempt of the Week

Github Key Scraper - This is not new, but never a bad idea to have a reminder: Be careful what you commit to your repos.

[[[Outro]]]

We do our best to report accurately on the topics we discuss but we’re not always going to get everything right. Please comment here or reach out to us @idegenfm with corrections or comments!

Full show notes on hackmd @ https://hackmd.io/@idegen/E16-Reversible-ERC20-ERC721

Listen at: idegen.fm

Contact us: @idegenfm

Intro

Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.

Episode Summary

In this episode, we hunt for Do Kwon and look at the White House’s comprehensive framework for the responsible development of digital assets. Then we look into Wintermute’s 160M key generation issue. We discuss emerging post-merge Ethereum narratives and the Omni bridge replay attack. We also get into an IRL customs scam for our hack attempt of the week.

I,Degen - Weekly

1. 9/14/22 - South Korean Court Issues Arrest Warrant for Terra Luna founder Do Kwon [2]

1. White House Releases Comprehensive Framework for Responsible Development of Digital Assets

Protecting Consumers

Advancing Responsible Innovation

Quite a bit more to the report.

And the Forbes Headline reads…
Joe Biden Just Sent A Stark Warning To Bitcoin And Crypto After $2 Trillion Price Crash

What is your narrative?

What do the machines think?

1. (June 9th, Wintermute OP issue)[https://rekt.news/wintermute-rekt/] and now this… ()[https://rekt.news/wintermute-rekt-2/]

Let’s start with a story that broken on September 14th. 1Inch, a dex aggrator protocol’s community discovered an issue with Profanity, a Ethereum address generator tool

Even worse, the possibility of this issue was raised on the Profanity Github on January 17th, 2022.

Why didn’t Wintermute act when the Profanity issue was raised with proof six days ago? Well, the did:

I, Degen - Deep Dive

Reflecting on the merge ETH?

Ethereum itself

Social Attacks - Narrative-based attacks in crypto. We tend to think about FUD...

I, Degen - E14: All Eyes On Ethereum - 9/11/2022

Listen at: idegen.fm

Contact us: @idegenfm

Full show notes with images on HackMD - https://hackmd.io/@idegen/E14-All-Eyes-On-Ethereum

Intro

Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.

Episode Summary

All eyes are on Ethereum - we are now less than four days out from the merge. We’ll talk about some possible scenarios the merge might bring and what you can do to stay safe during the merge. We’ll also look into recent updates on the Tornado Cash sanctions, a new report on fraudulent crypto trading volume, and other crypto security-related news.

I,Degen - Weekly

Cryptosphere

1. From August 23rd, SudoRare, a LooksRare clone rugs 820K after just 6 hours of operation Rugged funds likely moved to a KYC’d address on Kraken.
2. SudoRare, an NFTplatform that forked from SudoSwap and LooksRare, is just the latest crypto project to run off with users’ funds. The project also deleted all of its social media accounts Tuesday morning. - 
3. Coinbase launches Liquid Staked derivative (LSD) cbETH ahead of the merge - [1][2][3]
4. Earn 1 MIL if you can find a good bug in Ethereum before the merge
5. August 26th, 2022 - Tailiban Outlaws Crypto in Afganistan and begins arresting sellers that refused to comply Bloomberg article
6. Password managment first LastPass had it’s developer systems hacked to steal source code
7. According to Forbes, more than 1/2 of all Bitcoin trades are ‘fake’

“Fraudulent or non-economic”

On Forbes method:

So, private trading firms numbers are being grok’d by proprietary methodology.

Worth note, the Bitwise Study from early 2019 said 95% of BTC trading was fake… so it’s getting better.

In case you’re interested in this topic, here is another nice paper from 2019 that talks about fake BTC trading

1. spoiler! -New Netflix show on John Mcafee rasies questions about his death - supposedly he called his ex-gf after his ‘death’ to say he faked it.
2. Australia Establishes Federal Crypto Police 

1. Solana didn’t go down this week - high TPS spike that might have caused a network outage before, didn’t cause one this time.
2. September 5th withdrawals frozen at crypto mining firm Poolin because of a lack of liquidity - From theBlock.

And now, from September 9th Bitcoin hash rate cut in half as miners leave

1. Flash Loan used against single NXUSD market on Nerus

I, Degen - Episode 13 - Open Source Audio Audit with Kevin Seagraves & Zach Herring from Niftyapes.money

If you have a moment, please check out episode 13 I, Degen sequence on Zeevo. Give your feedback on the show, and we'll mint you a custom token of appreciation 🙏

Listen at: idegen.fm

Contact us: @idegenfm

Intro

On this episode of I, Degen we chat with Kevin Seagraves and Zach Herring from Niftyapes. They recently came out of stealth mode to launch their NFT lending platform and bravely agreed to an open-source audio audit with us.

Welcome to I, Degen gentleman, and thanks for taking the time to chat with us. Before we jump into the audit, can you tell us a bit about yourselves and what NiftyApes is?

Intros Kevin Seagraves & Zach Herring:

Who are we talking to?
Tell us about your background and how you built an NFT lending platform.

For KS: Can you tell us more about your work with ETHSecurity?

Hunt questions:

Intro NiftyApes:

1. What is NiftyApes?
   1. How does it work?
   2. Why did you build it?
   3. Who’s gonna use it?
   4. What is HARBERGER AUCTION?
   5. When release?

1. Let's talk about the “regen” side of Nifty Apes and the 1%? that goes to public goods. Why was it essential for you to do this?

Open Source Audit:

Security audits are expensive and rarely a priority for founders. This is especially dangerous when it comes to Defi apps and protocols, given the natural ability of an attacker to take something of value.

The idea for our Open Source Audit is to help others learn about securing a crypto project by asking some questions about how you’ve approached the security of the Niftyapes.

1. Can you give us a high overview of the tech stack? How does NiftyApes look from a zoomed-out view? What web2 components are at play, and what web3?

2. Can you talk a little bit about your overall approach to securing niftyapes?

3. How have you approached the security in your web2 interface?

KS: we only store tx receipts in DB after a tx has taken place and been confirmed, so the attack surface for us on Web2 is low.

3(b). Have you taken steps to ensure your DNS records are secure?

1. Contract audits - Can you give us an overview of your process with the contract audits?
   1. How did you find your auditors?
   2. What was the process like?
   3. What did they find?
2. You guys have gone out of your way to make security a priority for NiftyApes (from the front page):

3. Does NiftyApes have a bug bounty program? If so, how does it work?

4. Nocoiners and others have been all over a brewing problem at NFT lending platform, BendDAO. Specifically,

ZW: Would this kind of thing be a potential problem on Niftyapes too?

1. Game theoretical bugs are new and emerging class of attacks in DeFi that don’t necessarily exploit bugs in code but instead bugs in the relationship between values of pools, balances, and the connected systems.

2. In the coming years, we will likely look back at this as the golden age of on-chain hacks, where trivial bugs lead to massive payouts for blackhats. 

ZW: Are you tracking any risks related to game theoretic bugs? For example like, Flash Loan attacks?

1. The unprecedented sanctioning of the Tornado Cash contract addresses by US Treasury in early August has added a new complexity for DeFi developers. What is your take on the sanctions at NiftyApes?

2. Any advice for crypto founders on developing and deploying more secure projects?

Outro Questions:

1. Top musical artist you’re listening to right now?
2. Tech gadget you can’t live without?
3. Best book you’ve read recently? Or a book that has a notable impact on you?
4. Your preferred place for crypto news?

Contact Info for NiftyApes

You can find more info about NiftyApes on their website niftyapes.money or their Twiiter @niftyapes.

You can find Kevin Seagraves on Twitter [@captnseagraves] (https://twitter.com/captnseagraves) and Zach Herring @zherring

Full show notes on hackmd can be found here.