Steven Walbroehl From Halborn Security Joins Us to Talk About Their Metamask Vulnerability Discovery


Steven is Chief Security Officer and cofounder of Halborn, a cybersecurity organization specializing in blockchain companies. With over 15 years of experience in cybersecurity, Steven is an industry expert, trainer and technical leader in penetration testing, ethical hacking, web application and cloud security, infrastructure security, vulnerability scanning and detection, IT compliance, and risk mitigation. He's worked with Fortune 500 companies spanning Financial, Insurance, Mortgage, Technology, Utilities, Hospitality, and Blockchain industries, and holds several information technology and security certifications, including CISSP, CEH, CRISC, OSCP, OSWP, CISM, GWAPT, GAWN, AWS Solutions Architect Associate, CCNA, and Six Sigma. Steven brings modern technology practices and security assurance to protect his client's business operations and data. He is course author of SANS SEC554: Blockchain and Smart Contract Security and co-author of SEC556: IoT Penetration Testing

Metamask Vulnerability

CVE-2022-32969: Insecure permissions vulnerability in MetaMask and other browser extension cryptocurrency wallets allows an attacker to access a user’s secret recovery phrase on disk via remote or physical access.

Both Firefox and Chromium based browsers save the contents of all non-password input fields to disk unencrypted as part of the “Restore Session” feature. Browser extension cryptocurrency wallets that use an input field for a BIP39 mnemonic can cause the secret recovery phrase to be stored on disk in plain text where an attacker can retrieve it and gain access to the wallet.

Additionally, an attacker with equal or greater permissions than the user may be able to retrieve the mnemonic phrase directly from memory.

Law Firm Serves Restraining Order via NFT

Law firm Holland & Knight has become the first to serve a restraining order as an NFT. The asset recovery team of the firm issued the NFT on behalf of its client, LCX, to an anonymous hacker that exploited the platform back in January.

In a press release, LCX also gave an update on the investigation into the hack that saw it lose around $8 million, noting that the case is now being handled in several jurisdictions, including Liechtenstein, Ireland, Spain, and the United States.

Additionally, it has been able to track down and freeze around 60% of the stolen funds. These include 500 ETH and $1.3 million worth of stolen USDC. LCX says it used “algorithmic forensic analysis” to track down the transactions which were obfuscated using Tornado cash, a digital currency mixing tool.

ApolloX Hack - $2.1 Million

ApolloX is a cryptocurrency derivatives exchange founded by experts with backgrounds in traditional financial institutions, technology companies, and other leading crypto exchanges.

The network was hacked by malicious players who carted away 53 million APX tokens worth $2.8 million.

ApolloX has revealed that the hacker exploited a bug in the network’s trading rewards contract to accumulate 255 signatures which were used to withdraw 53 million APX tokens from the withdrawal contract.

The attacker wrote a contract that calls ApolloxExchangeTreasury's claim function in a loop in, withdrawing a lot of $APX tokens. ApolloX also deploys another similar ApolloxTradingReward contract for processing rewards of trade mining. There is a signature replay issue here as signers of the two contracts were indeed the same address before the attack occurred. There is also an ApolloxLeaderBoard contract doing the same thing.

The attacker replayed the signature signed for the ApolloxTradingReward in the ApolloxExchangeTreasury. When decoding the message, the latter resolves the reservedAmount as deadline, and the reservedAmount is large enough to pass the verification normally.

After the attack, the ApolloX team set the signers of the three contracts, ApolloxTradingReward, ApolloxExchangeTreasury, and ApolloxLeaderBoard, to different addresses, thus avoiding the risk of signature replay.

The network tried to arrest the situation by making an emergency repurchase of 12,748,585 APX tokens worth $600,000.

Attacker didn’t use Tornado

Indications have emerged that the ApolloX hacker begged for the gas fees he used to carry out the attack from crypto community members.

According to Officer_cia, the hacker sent him a message where he begged for 1 Matic that was eventually used as gas fees for the exploit.

Inverse Finance Oracle Manipulation - $1.2 Million