Also: Ledger Faces Backlash on Seed Phrase Recovery Solution
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. In the days between May 11 and May 18, the Uranium Finance hacker laundered more stolen funds, LayerZero launched a $15 million bug bounty program, the European Union adopted comprehensive cryptocurrency legislation, and Ledger faced backlash on its seed phrase recovery solution.
The Uranium Finance hacker on Tuesday moved ETH coins worth $1.18 million to sanctioned crypto mixer Tornado Cash. The hacker in March laundered funds worth $3.35 million after lying low for more than 21 months. Web3 security firm PeckShield said the hacker currently holds a total of $124,000 worth of crypto in their wallet. On April 28, the hacker exploited a coding vulnerability on the Binance Smart Chain-based platform to steal funds worth $50 million at the time, likely forcing the company to cease operations and ask users to withdraw funds from the platform.
LayerZero Labs on Wednesday announced a $15 million bug bounty program in partnership with bug bounty platform Immunefi. Touted as the “largest bug bounty reward in the software industry,” it will offer a “maximum reward of $15M for each new vulnerability found by participants who uncover vulnerabilities at the highest severity level,” LayerZero said.
The European Union on Tuesday adopted a cryptocurrency regulation intended to protect consumer interests by preventing high-profile crashes such as FTX and Terra Luna and by mandating tougher cybersecurity requirements. Finance ministers representing all 27 member countries voted unanimously to enact the Markets in Crypto-Assets regulation. The rules for stablecoins are set to be implemented in July 2024, and those for other crypto assets will take effect in January 2025. The legislation holds crypto asset service providers liable for losses stemming from cyberattacks, thefts or malfunctions, details anti-money laundering provisions that can limit hackers’ ability to off-ramp stolen crypto, and comprises a travel rule to ensure traceability of crypto assets and prevent sanctioned addresses from carrying out unlawful transactions (see: EU Adopts Comprehensive Crypto Regulation).
Ledger’s new recovery tool for hardware crypto wallets allows users to reclaim their lost and forgotten seed phrases. The company’s announcement sparked a backlash among security and privacy experts, who say the solution undermines security. Called Ledger Rover, the solution splits a seed phrase into three encrypted parts and shares them with different third parties for safekeeping. Polygon Labs CISO Mudit Gupta, who called it a “horrendous idea,” said the issue isn’t the key split. The concern, he said, is that the three corporations who store the encrypted keys can easily reconstruct the whole phrase.