Happy New Year!

At the start of the year, there were only a few minor incidents, all resulting in losses under $300K. Fx protocol made a costly mistake when calculating rewards for the ever increasing wstETH asset that cost them $125K. However, the most notable case involved the PumpTokenFactory, which deployed flawed token template code. This vulnerability led to a series of price oracle exploits affecting Laura, Luke, and other tokens. The incident bears similarities to the GemPad compromise from a few weeks ago, where $2M was stolen through reentrancy attacks targeting multiple factory tokens.

It’s concerning to see these patterns emerge. Hopefully, the crypto ecosystem can avoid the kind of mass exploitation events that plague the Web2 world—such as the persistent vulnerabilities in platforms like WordPress, Drupal, and other low-code/no-code solutions.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

Events

• Remedy CTF 2025. January 24th, 2025.

News

• 2024 Web3 Security Report by CyVers.

• Hack3d: The Web3 Security Report 2024 by CertiK.

• 2024 Q4 MistTrack Stolen Funds Analysis by Slowmist.

• Scam Sniffer 2024: Web3 Phishing Attacks – Wallet Drainers Drain $494 Million

• 2024 Blockchain Security and Anti-Money Laundering Annual Report by Slowmist.

• Man Dies by Suicide After Being Convicted of ‘Rug Pull,’ Family Says. A tragic end to the Undead Apes saga.

Crime

• Tether, Tron and TRM Labs Help Freeze $126 Million in USDT Linked to Crime.

• South African Authorities Arrest Man Accused of Using Bitcoin to Fund Terrorist Activities.

• Do Kwon Extradited To The United States From Montenegro To Face Charges Relating To Fraud Resulting In $40 Billion In Losses.

Policy

• Thread on unredacted OCP 2.0 letters from FDIC by Paul Grewal.

Scams

• Trapped Between Protocols by Rekt.

• 39 Ways You Could Lose Money in Crypto: How to Keep Your Money Safe by Sage D. Young (Unchained).

Malware

• North Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign by dmpdump.

• Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT.

Research

• A Tale of Two Calls: How a Reentrancy Attack Can Take Over Maker's CDPs by Adriro.

• Detecting Financial Bots on the Ethereum Blockchain.

• Collaborative Approaches to Enhancing Smart Vehicle Cybersecurity by AI-Driven Threat Detection.

• An elaborate scheme to acquire a free coffee, Mr. X pays his barista in New York with a bitcoin transaction (TX1) and simultaneously broadcasts a second bitcoin transaction out of Shanghai (TX2) by Peter R. Rizun.

• How Concentrated Liquidity in Uniswap V3 Works by RareSkills.

• Concentrated Liquidity - Sticky Tick Boundaries by Joran Honig.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content