Greetings!

This was not a good week for DeFi projects out there. $48M were stolen across 7 hacks, mass phishing campaigns, $33M rugpulls, and 0days targeting essential tools. We have a lot to cover, but first a note from our sponsor Cyfrin! A whole generation of security auditors got their first bounty thanks to their hard work building free classes, tools and projects. Their contributions to the blockchain security community are immense so I hope you will consider them for your next audit, bug bounty program, or just an ever growing resource of excellent content.

Cyfrin is dedicated to helping scale smart contract security. Protocols looking for a private audit should reach out, but additionally, the team works on tools and platforms to scale security throughout the industry. 

Cyfrin Updraft has the most watched smart contract development and security curriculum on earth. Cyfrin CodeHawks is the competitive audit platform for web3, for everyone from the started security researchers to the top bug hunting masters. Solodit is the audit report aggregator to help you learn the top attack vectors being reported today. Aderyn is the open-sourced rust-based static analyzer to help automatically detect bugs in your solidity codebase. 

Let’s start with DeFi compromises. There was a really unfortunate exploit on Ethereum and Arbitrum chains of Hedgey Finance. An attacker was able to trick vulnerable contracts into approving the transfer of $44.7M worth of assets by injecting malicious parameters into an overly trusting method. Below is the vulnerable snippet:

function createLockedCampaign(
bytes16 id,
Campaign memory campaign,
ClaimLockup memory claimLockup,
Donation memory donation
) external nonReentrant {

[..snip..]

// deposit tokens TransferHelper.transferTokens(campaign.token, msg.sender, address(this), campaign.amount + donation.amount);

[..snip..]

// withdrawal approval SafeERC20.safeIncreaseAllowance(IERC20(campaign.token), donation.tokenLocker, donation.amount);

In the above snippet, callers have complete control over campaign, claimLockup, and donation structs so they can set campaign.token and donation.tokenLocker to arbitrary values (e.g. USDC, attacker controlled contract). While calling the above method the attacker transfers some amount of tokens to Hedgey which also generates an approval for the donation.amount to an arbitrary address. In one exploit transaction, the attacker borrowed $1.3M from Balancer, deposited it to Hedgey, and in return got a $1.3M approval to an address they control.

The next part is what enabled the exploit. When cancelling the campaign, the contract withdraws deposited tokens, but never revokes the approval!

function cancelCampaign(bytes16 campaignId) external nonReentrant {
Campaign memory campaign = campaigns[campaignId];
require(campaign.manager == msg.sender, '!manager');
delete campaigns[campaignId];
delete claimLockups[campaignId];

// withdraw tokens
TransferHelper.withdrawTokens(campaign.token, msg.sender, campaign.amount);
emit CampaignCancelled(campaignId);
}

The attacker simply followed up with another transaction to withdraw $1.3M held by the contract prior to the exploit. Insufficient function parameter validation exploits are painful, but have an important lesson for developers:

Assume all user controlled input is tainted and designed to disable or steal assets from your protocol. It is hot lava that will burn you without proper care!

More phishing campaigns peddling credential and private key stealers by tricking folks who are interviewing or providing advisory services.

PSA: Never download and run executables on a non-isolated machines presented to your during job interviews, business or other calls. Consider using Virtual Machines and external file scanners like VirusTotal.

Another conviction this week of a DeFi attacker - Avi Eisenberg, a 28 year old crypto trader responsible for the Mango Markets hack. A few takeaways:

• Ransom aka “whitehat” agreements have no legal power. Mango Markets noted the agreement was made under duress and pressed charges.

• DeFi compromises involve many victims which could press separate charges. Prosecution used one such victim to illustrate the broad impact of the hack.

• Decentralized and autonomous nature of DeFi markets does not prevent various government agencies from pressing civil and criminal charges for market manipulation and fraud. In fact, the DoJ case criminal case was given precedence over the civil complaint by Mango Labs.

• The government will absolutely arrest you and put you on the plane the moment you step foot in an extradition country.

• “Code is Law” argument failed in court and will result in up to 20 years in jail.

• Going on podcasts or social media after the hack will not help you.

• The case will now set the precedent for similar trials in the future.

Attackers expecting no legal repercussions by negotiating a “bounty” with just the DeFi project should also reach out to every single user to make a similar agreement. Oh and also convince SEC, CFTC, and DoJ that your actions were legal. Worst case you could prepare an expensive legal defense with five lawyers for the 12 randomly selected jurors who will sleep through your arguments and convict you anyway. Good luck!

News were going around all week about iMessenger, WhatsApp, etc. 0days for sale. This created a lot of fear in folks ready to throw away their phones while locking themselves in an RF proof safe room. The reality is that 0days are available for sale at all times. Gray markets exist that actively research and acquire exploits to unpatched vulnerabilities to be sold to interested parties (mostly government and LE entities). As vulnerabilities get patched, bounties go out to make sure there is always one available in the arsenal. Below is a sample offering from one such company where iMessenger exploits can collect $2M+ and resold to buyers for even greater amounts:

What got everyone really scared is that the iMessenger exploit was made available for purchase on a dark market by entities beyond the usual pro-Western government and LE actors.

Some questions to think of when assessing the risk of someone using an 0day on you is the likelihood. Are you really that important that someone will burn a $2.5M exploit? Is there a cheaper way to compromise you or your org with SIM swapping, spear phishing or just embedding a malicious insider? Do you really believe the dark market ad is real when there are “gray” markets ready to bid on the exploit?

If you still think that you may be the target then you should focus on building resilient security controls such as using hardware wallets, multisigs, Yubikeys, etc. A single compromised phone should not ruin your organization.

The premium version of the newsletter includes additional coverage, PoCs, indicators for the hacks mentioned above as well as Grand Base, Hackathon, Mars, and others.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

Events

• Secureum RACE-29.

News

• Security Alliance launches SEAL-ISAC initiative to facilitate spreading of blockchain-related threat intelligence.

• Telegram Patches Zero-Day Python Script Vulnerability in Windows Client.

• PuTTY SSH client flaw allows recovery of cryptographic private keys.

• GitHub comments abused to push malware via Microsoft repo URLs. Executables uploaded in repo comments appear coming from the repo itself.

• Q1 2024 Web Security Report by Hacken.

Crime

• Avraham 'Avi' Eisenberg convicted for $110 million Mango Markets exploit.

• Indian Man Pleads Guilty to Creating Spoofed Coinbase Website, Stealing $9.5M in Crypto.

• Hive RAT Creators and $3.5M Cryptojacking Mastermind Arrested in Global Crackdown.

• Hong Kong JPEX cryptocurrency scandal: 72 arrested, HK$228 million in assets frozen so far.

• Operation Racer: Hong Kong Authorities Dismantle Cryptocurrency Laundering Operation.

• Alleged cryptojacker accused of stealing $3.5M from cloud to mine under $1M in crypto.

Policy

• Crypto Litigation Tracker from SEC, CFTC, and DoJ by thecod3x.

• Railgun refutes claims of North Korean laundering following price surge.

Phishing

• Reports of an ongoing phishing campaign Uniapt. It involves a meeting booked on Calendly to advise on the company, followed by a request to download a malicious executable which is a credential stealing malware.

• A peek inside Inferno Drainer by Bernhard Mueller.

• Demystifying Hacking Incidents by Drainers by BlockSec.

• Ethereum’s EIP-3074 ‘upgrade’ could let wallet makers steal your money.

• So, if you come across a scam domain, what should you do? by OfficerCia

• Google ad impersonates Whales Market to push wallet drainer malware.

• Another day, another X compromise. Meson Finance account was hacked to share an airdrop phishing link.

Scams

• Zkasino $33M rugpull report by defizard.

Malware

• New Technique to Trick Developers Detected in an Open Source Supply Chain Attack by Yehuda Gelb (Checkmarx).

• Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims.

• Akira Ransomware advisory by FBI and Europol.

Media

• Blockchain Security Series Episode 5: Daniel Von Fange (Smart contracts @ Origin Protocol).

• OpenSense - Botracing 101 with ChaseTheLight.

Research

• Gateway Free Web3 Security Course by Owen (Guardian).

• Diving deep into Audit Contests Analytics and Economics by Joran Honig.

• An investigation into the alleged $11.1M Prisma Finance exploiter 0x77 (Trung) and the multiple other exploits they are connected to by ZachXBT.

• Concentrated Liquidity Manager Vulnerabilities by Dacian (Cyfrin).

• Cosmos IBC Reentrancy Infinite Mint by Maxwell Dulin (Asymmetric Research).

• Hamburger Factory Validity by xuwinnie. An interesting bug in zkSync.

• Issues in Certain Forks of Gains Network by Zellic.

• Small Steps in Automating Security - Detecting Incorrect Interface Definitions (in Vyper!) by yAcademy.

• Bad Randomness: Protecting Against Cryptography's Perfect Crime by Tal Be’ery.

• One more problem with ERC777 by Daniil Ogurtsov.

• Onchain fuzzing benchmark: running echidna on mainnet by Antonio Viggiano.

• SoK: Decentralized Finance (DeFi) -- Fundamentals, Taxonomy and Risks.

• Is EIP-3074 the Next Step for Account Abstraction? by The Ambire Team.

• EIP-3074 Threat Models by matt.

• EIP-3074 Impact Study by Neville Grech.

• How to spend as much money on security services as possible, while ensuring you are still vulnerable to Critical exploits thread by Owen (Guardian).

Tools

• Aderyn - Rust-based Solidity static analyzer by Cyfrin. Check out the announcement blog for additional details.

• tx-coverage - Reveal unused code of a live smart contract by collecting coverage from historical transactions by Decurity.

• BugBounty Companion by tintinweb. The BugBounty companion lets you quickly check out source-code from bug bounty programs from various platforms.

• cargo-unmaintained - Find unmaintained packages in Rust projects by Trail of Bits.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content