Greetings!

Almost $8M was stolen across 8 incidents ranging from smart contract exploits and private key theft to malicious insiders and web2 infra hacking attempts. Let’s explore a few of the most interesting ones:

Bedrock almost caused a DeFi meltdown last week after their uniBTC token mistakenly enabled the use of native tokens for minting. The single uninitialized variable allowed one to reach the following minting function designed to exchange other BTC-like assets, like cbBTC, for uniBTC at 1:1 rate:

/**
    * @dev mint uniBTC with native BTC
    */
function mint() external payable {
    require(!paused[NATIVE_BTC], "SYS002");
    _mint(msg.sender, msg.value);
}

Bad actors could easily borrow ETH to exchange for uniBTC at a 1:1 rate!

Luckily Dedaub detected the vulnerability shortly after the contract deployment and kicked off the incident with SEAL 911 team.

2024-09-25 06:17 - Vulnerable vault deployed on Ethereum and other chains [tx].
2024-09-26 16:00 - Dedaub discovered the vulnerability.
2024-09-26 16:27 - Dedaub reached out to Bedrock about the vulnerability.
2024-09-26 16:41 - SEAL 911 War Room started.
2024-09-26 18:28 - First exploit transaction [tx].
2024-09-26 18:34 - Bedrock IR team notified [link].
2024-09-26 18:44 - First copycat exploit [tx].
2024-09-26 18:54 - Even more copycats exploiting [tx].
2024-09-26 21:03 - Vault paused [tx].
2024-09-27 01:39 - Bedrock makes a public announcement of the hack [link].

Some observations:

• Dedaub and SEAL 911 had trouble reaching Bedrock to share the bug pre-hack and during active exploitation. Easily accessible security contact and actively monitored incident notification channel could have made this incident just an urgent vulnerability report.

• Not only was the short 2-hour window lost before the hacking began, but another 3 hours were lost before the team finally hit the pause button. If the team was indeed notified at 18:34 there is no reason to wait so long to pause the vulnerable contract. The delay invited dozens of copycats to methodically drain pools across six chains. Pause first, ask questions later!

• Was there any security monitoring at all to catch minting anomalies, pools being drained, anything suspicious? Probably not or it could be even worse where security alerts went into an unmonitored mailbox.

We make mistakes all the time. The Bedrock deployment script made a mistake that audits could not catch. However, the $2M lost in this incident was simply due to not having a security process to collect and react to security alerts. At least SEAL saved the day by helping halt $70M+ in pools with uniBTC.

Speaking of unnecessary hacks, Onyx Protocol was hacked again for $3.8M with the Compound bug that already cost them $2M about a year ago. The issue here is a lack of process and/or knowledge of your code base. A simple playbook on how to safely deploy new cTokens would have saved their day.

When I first got into blocksec, I was (and still am) fascinated by beautiful attack vectors. If only we could get as many audits as possible to find those pesky oracle bugs or stop reentrancy, we would be safe, right? To a degree. I am starting to realize we may need to zoom out and start teaching DeFi projects the basics of security programs, the fundamentals of security threats, detecting and responding to incidents, and just a healthy degree of paranoia that all of those audits are not enough. I am excited to share more at The State of DeFi Security talk at the DeFi Security Summit in November.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• New York Judge Rules Tornado Cash Co-Founder Roman Storm Must Face Trial in Money Laundering Case.

• Staying a Step Ahead: Mitigating the DPRK IT Worker Threat by Mandiant.

• Crypto Losses in Q3 2023 Report by Immunefi.

Crime

• Man pleads guilty to operating illegal crypto ATMs in first UK conviction of its kind.

• The Rise of Cryptocurrency in the Synthetic Drug Trade by TRM.

• United States Seizes More than $6 Million in Alleged Proceeds of a Crypto-Confidence Scheme.

• OFAC Designates Russian Exchange Cryptex and Fraud Shop Facilitator UAPS, FinCEN names PM2BTC by Chainalysis

• Witness Says LA 'Godfather' Impersonated FBI to Steal Crypto at Gunpoint. What is even more concerning are $150K+ payments to LAPD officers to help facilitate those crimes.

• Someone kidnapped Wiz/Veer’s parents in Connecticut in an attempt to extort him for his cut from the theft by ZachXBT.

• Caroline Ellison sentenced to two years for FTX-Alameda fraud.

Policy

• Select Group of Russian Firms Authorized to Use Crypto for Chinese Imports Amid Sanctions.

• 'We are Running Out of Time': U.S. House Democrat Urges Stablecoin Bill Compromise.

• Kosovo receives guidance from Council of Europe on crypto crime tracing.

• TrueUSD firms dodge fraud claims with SEC settlement.

• Inside the Biden Admin’s Plot to Destroy Silvergate and Debank Crypto for Good by Nic Carter.

• SEC Charges DeFi Platform Rari Capital and its Founders With Misleading Investors and Acting as Unregistered Brokers.

• CFTC Sues Over $3.6M Digital Asset Fraud Targeting Asian Americans.

Phishing

• Polymarket users complain of mysterious Google login wallet attacks.

• Web3 gaming firm Immutable criticized for limited phishing warning.

• How do honeypot tokens on the trending list bypass detections? by Scam Sniffer.

• Address poisoning is on BTC now thread by BlockSec.

• Someone lost 12,083 spWETH ($32.43M) after signing a "permit" phishing signature by Scam Sniffer. The victim is suspected to be CZSamSun.

• Another victim lost $251k worth of Aave USDC and Aave wstETH by signing multiple "permit" phishing signatures by Scam Sniffer.

• Someone has fall into a phishing , resulting in a loss of $268K worth of #aEthWBTC! by Cyvers.

• Orbiter_Finance X account has been compromised and a fake airdrop link was posted in their feed.

• OpenAI's X account was hacked to promote a crypto scam.

Scams

• Alleged crypto scammer gets a face reveal courtesy of ZachXBT. UK based scammer stole more than $650K from 250+ X users by posting fake PNL screenshots from a Bybit demo account..

Malware

• Wallet Scam: A Case Study in Crypto Drainer Tactics by Check Point. Fake Wallet Connect app on Google Play stole about $70K from victims.

Contests

• A challenge on the Jolt zkVM by Giorgio Dell'Immagine (zkSecurity).

• Writeup for Chisel as a Service from BlazCTF 2024 by minaminao.

• Writeups for the BlazCTF by toastedsteaksandwich.

Media

• How to diagnose a faulty compiler: the LLVM bug by DSS Monthly Webinar.

• Web3 Security Podcast: From @bloqarl’s First Paycheck to Running a Profitable Web3 Security Company by HackenProof.

Research

• Security Frameworks by SEAL. Detailed security frameworks covering infrastructure, front-end, social media, key management, incident response, opsec, and many many other topics.

• Bellingcat OSSINT Toolkit. A great collection of resources to help you hunt down bad actors.

• Web3 Ping of Death: Finding and Fixing a Chain-Halting Vulnerability in NEAR by Faith (Zellic).

• When Debug Logs Go Wrong: A Crash In GRPC Astria-geth Node by Patrick Ventuzelo (Fuzzing Labs).

• Checklist for Auditing Tron Projects by Positive Security.

• SlowMist: Introduction to Auditing Sui - Move Contracts by SlowMist.

• SlowMist: Analysis and Audit Considerations of the Uniswap v3 Protocol by SlowMist.

• Strengthening Legal Protections for White Hat Hackers by Neville Grech.

• Precision Loss Accumulation: The “Two Parser Bug” Lurking in the Shadows by Zhou Xianyuan.

• Writing Multi-Fuzzer Invariant Tests Using Chimera by Dacian.

• How to Simulate MEV Arbitrage with REVM, Anvil and Alloy by Pawel Urbanek.

• Awesome FHE Attacks by Hexens.

• Secure Wallet Key Management in Web3 by Olympix.

• On the Security of Halo2 Proof System by Joo Yeon Cho (Kudelski).

• Unlocking the Potential of Noir: A Deep Dive into Simplifying Zero-Knowledge Proof Development by Simeon Cholakov & Simão Amaro (Three Sigma).

• Blockchain Based Information Security and Privacy Protection: Challenges and Future Directions using Computational Literature Review.

• 0Kage Diaries Chapter 6 — Understanding EigenLayer.

• A few notes on AWS Nitro Enclaves: Attack surface by Pawel Platek (Trail of Bits).

• Email auto-reply vulnerability allows hackers to mine cryptocurrency.

Tools

• Haystack Editor - An IDE built on top of a canvas, Haystack takes care of the tedious and confusing parts of coding for you

• USDC issuer Circle unveils new compliance tool for programmable wallets.

• The Good Ethereum Assembler (geas) - a macro assembler for the EVM.

• Fuzzoor - A Visual Studio Code extension that helps you to build and run fuzzing test suites for Solidity smart contracts.

• SIM Explorer - a blockchain explorer with storage and state analysis.

• Spice v0.2.0 release by Storm. A new cli to extract data from Dune Analytics.

• Halmos v0.2.0 is Released! New features for finding bugs and exploits.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content