BlockThreat - Week 10, 2023
Hedera | PeopleDAO | TenderFi | SushiSwap
There is a new trend developing with attackers targeting pre-compiled contracts embedded deep inside smart contract chains. Late last year we discussed a $586M BNB Chain hack and now it’s unfortunately Hedera’s turn with its Smart Contract Service. This week also features the silliest hack of the month with attackers simply adding their address to a hidden field in a publicly accessible spreadsheet. Attacker indicators are in the premium section below as always.
On the bright side, this week’s edition features plenty of blockchain security talks from ETHDenver as well as a number of new tools.
Let’s dive into the news, but first a word from our sponsors Chainalysis!
The 2023 Crypto Crime Report is here!
Inside you’ll find 100+ pages of original data, research, and case studies on the most pressing topics in cryptocurrency-based crime, including:
Why 2022 set records for crypto hacking
How sanctions on Hydra, Tornado Cash, and others impacted the crypto crime ecosystem
The latest crypto money laundering tactics employed by cybercriminals
What crypto winter means for scammers
How cybersecurity enhancements have hurt ransomware attackers
Oasis disabled contract upgrades so it wouldn’t be compelled to confiscate funds in the future like it did with the Wormhole attacker.
Blur zero-dollar purchase phishing attack by BlockSec.
Uptick in USDC scams following depegging over the weekend.
Sour Grapes: stomping on a Cambodia-based “pig butchering” scam by Sophos.
FBI PSA: Criminals Steal Cryptocurrency through Play-to-Earn Games.
On March 6, 2023 PeopleDAO lost $120K by distributing rewards based on a publicly spreadsheet which included attacker’s address in a hidden field.
On March 7, 2023 TenderFi was exploited for $1.59M due to a misconfigured price oracle. All of the assets were voluntarily returned.
On March 9, 2023 multiple projects on Hedera blockchain lost $600K+ due to a delegatecall exploit in the virtual machine’s pre-compiled contract.
On March 9, 2023 SushiSwap was once again exploited with a price oracle exploit for $27K using the same method as last month’s BentoBoxv1 exploit.
How Your NFTs Could Have Been Stolen in Just One Click by Permasecure.
A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithm.
Old Cyber Gang Uses New Crypter – ScrubCrypt by Fortinet.
Xenomorph v3: a new variant with ATS targeting more than 400 institutions by Threat Fabric.
North Korean UNC2970 Hackers Expands Operations with New Malware Families.
Ethernaut solutions in Yul by teddav.
Ghosts of Epochs Past allows one to replay past Secureum races.
Solving Curta CTF Sudoku using Halmos by karma.
CPSC 5910 - Blockchain Security - Winter 2022 course by Christian Siefert (Forta).
Common Zero-Knowledge Proof Vulnerabilities by D-Squared.
ETHDenver Blockchain Security Talks:
2 years and 200 audits later: DAO learnings from building Code4rena with Sock.
Bug Patterns in Solidity and Smart Contract Auditing by Yannis Smaragdakis.
Security - Today and Tomorrow with Ronghui Gu.
DeFi Risk: How to Secure Your Protocol with Blockchain Simulations by Omer Goldberg.
Pyrometer: a next-gen solidity security tool with Brock Elmore.
Future of Threat Prevention - We can detect exploits, but how do we stop them? by Andrew Beal.
Security: The Make or Break For Transitioning from Web2 to Web3 by Shahar Madar.
Bridges: how not to hack up everything with Alex Shevchenko.
MEV Past, Present, and Future by Joey Zacherl.
How to win MEV and trades on ethereum post merge with Eyal Markovich.
Cypherpunk Beginnings and the Case for Proof of Work with Bob Summerwill.
Web3 Security for Everyone - A new Prospect from the user's angle with Eskil Xu.
How to stop your wallet from collecting your personal data: Enabling the Nym Mixnet with Metamask with Harry Halpin.
A privacy layer for Web3: Unlock the potential of Web3 with the Oasis Privacy Layer with Nick Hynes.
How to Stop Crypto Scams from impacting your Community and Users with Nikita Varabei.
Rebasing token attack thread by Daniel Von Fange.
Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears – Kudelski Security Research by Nils Amiet (Kudelski Security).
EVM Part I: The ABCs of Ethereum Virtual Machine by Md Zaryab Afser.
EVM Part II: The Journey of Smart Contracts from Solidity code to Bytecode by Md Zaryab Afser.
Integrating Halmos with Foundry tests by Zach Obront.
L2BEAT is a database of Ethereum L2s and their security properties.
Echnida 2.1.0 introduces on-chain fuzzing.
tx2uml 1.1.11 introduces value transfer diagrams.
Token Tester - discover potential vulnerabilities and incompatibilities when interfacing with generic ERC20s.
turbopoc - Turbocharged multichain smart contract POC template generation from the command line. This is more advanced, yet more complicated fork of great quickpoc tool.
Cookbook - search for smart contract or project source code.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.