BlockThreat - Week 10, 2023
Hedera | PeopleDAO | TenderFi | SushiSwap
There is a new trend developing with attackers targeting pre-compiled contracts embedded deep inside smart contract chains. Late last year we discussed a $586M BNB Chain hack and now it’s unfortunately Hedera’s turn with its Smart Contract Service. This week also features the silliest hack of the month with attackers simply adding their address to a hidden field in a publicly accessible spreadsheet. Attacker indicators are in the premium section below as always.
On the bright side, this week’s edition features plenty of blockchain security talks from ETHDenver as well as a number of new tools.
Let’s dive into the news, but first a word from our sponsors Chainalysis!
The 2023 Crypto Crime Report is here!
Inside you’ll find 100+ pages of original data, research, and case studies on the most pressing topics in cryptocurrency-based crime, including:
Why 2022 set records for crypto hacking
How sanctions on Hydra, Tornado Cash, and others impacted the crypto crime ecosystem
The latest crypto money laundering tactics employed by cybercriminals
What crypto winter means for scammers
How cybersecurity enhancements have hurt ransomware attackers
Blur zero-dollar purchase phishing attack by BlockSec.
Uptick in USDC scams following depegging over the weekend.
On March 6, 2023 PeopleDAO lost $120K by distributing rewards based on a publicly spreadsheet which included attacker’s address in a hidden field.
On March 7, 2023 TenderFi was exploited for $1.59M due to a misconfigured price oracle. All of the assets were voluntarily returned.
On March 9, 2023 multiple projects on Hedera blockchain lost $600K+ due to a delegatecall exploit in the virtual machine’s pre-compiled contract.
How Your NFTs Could Have Been Stolen in Just One Click by Permasecure.
Old Cyber Gang Uses New Crypter – ScrubCrypt by Fortinet.
Ethernaut solutions in Yul by teddav.
Ghosts of Epochs Past allows one to replay past Secureum races.
Solving Curta CTF Sudoku using Halmos by karma.
CPSC 5910 - Blockchain Security - Winter 2022 course by Christian Siefert (Forta).
Common Zero-Knowledge Proof Vulnerabilities by D-Squared.
ETHDenver Blockchain Security Talks:
Bug Patterns in Solidity and Smart Contract Auditing by Yannis Smaragdakis.
Security - Today and Tomorrow with Ronghui Gu.
DeFi Risk: How to Secure Your Protocol with Blockchain Simulations by Omer Goldberg.
Pyrometer: a next-gen solidity security tool with Brock Elmore.
Security: The Make or Break For Transitioning from Web2 to Web3 by Shahar Madar.
Bridges: how not to hack up everything with Alex Shevchenko.
MEV Past, Present, and Future by Joey Zacherl.
How to win MEV and trades on ethereum post merge with Eyal Markovich.
Cypherpunk Beginnings and the Case for Proof of Work with Bob Summerwill.
How to Stop Crypto Scams from impacting your Community and Users with Nikita Varabei.
Rebasing token attack thread by Daniel Von Fange.
Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears – Kudelski Security Research by Nils Amiet (Kudelski Security).
EVM Part I: The ABCs of Ethereum Virtual Machine by Md Zaryab Afser.
EVM Part II: The Journey of Smart Contracts from Solidity code to Bytecode by Md Zaryab Afser.
Integrating Halmos with Foundry tests by Zach Obront.
L2BEAT is a database of Ethereum L2s and their security properties.
Echnida 2.1.0 introduces on-chain fuzzing.
tx2uml 1.1.11 introduces value transfer diagrams.
Token Tester - discover potential vulnerabilities and incompatibilities when interfacing with generic ERC20s.
Cookbook - search for smart contract or project source code.