Greetings!

There is a new trend developing with attackers targeting pre-compiled contracts embedded deep inside smart contract chains. Late last year we discussed a $586M BNB Chain hack and now it’s unfortunately Hedera’s turn with its Smart Contract Service. This week also features the silliest hack of the month with attackers simply adding their address to a hidden field in a publicly accessible spreadsheet. Attacker indicators are in the premium section below as always.

On the bright side, this week’s edition features plenty of blockchain security talks from ETHDenver as well as a number of new tools.

Let’s dive into the news, but first a word from our sponsors Chainalysis!

The 2023 Crypto Crime Report is here!

Inside you’ll find 100+ pages of original data, research, and case studies on the most pressing topics in cryptocurrency-based crime, including:

• Why 2022 set records for crypto hacking

• How sanctions on Hydra, Tornado Cash, and others impacted the crypto crime ecosystem

• The latest crypto money laundering tactics employed by cybercriminals

• What crypto winter means for scammers

• How cybersecurity enhancements have hurt ransomware attackers

• And more!

Get your copy now >

News

• Oasis disabled contract upgrades so it wouldn’t be compelled to confiscate funds in the future like it did with the Wormhole attacker.

• FBI and international cops catch a NetWire RAT.

Scams

• Blur zero-dollar purchase phishing attack by BlockSec.

• Uptick in USDC scams following depegging over the weekend.

• Sour Grapes: stomping on a Cambodia-based “pig butchering” scam by Sophos.

• FBI PSA: Criminals Steal Cryptocurrency through Play-to-Earn Games.

Hacks

• On March 6, 2023 PeopleDAO lost $120K by distributing rewards based on a publicly spreadsheet which included attacker’s address in a hidden field.

• On March 7, 2023 TenderFi was exploited for $1.59M due to a misconfigured price oracle. All of the assets were voluntarily returned.

• On March 9, 2023 multiple projects on Hedera blockchain lost $600K+ due to a delegatecall exploit in the virtual machine’s pre-compiled contract.

• On March 9, 2023 SushiSwap was once again exploited with a price oracle exploit for $27K using the same method as last month’s BentoBoxv1 exploit.

Vulnerabilities

• How Your NFTs Could Have Been Stolen in Just One Click by Permasecure.

• A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithm.

Malware

• Old Cyber Gang Uses New Crypter – ScrubCrypt by Fortinet.

• Xenomorph v3: a new variant with ATS targeting more than 400 institutions by Threat Fabric.

• North Korean UNC2970 Hackers Expands Operations with New Malware Families.

Contests

• Ethernaut solutions in Yul by teddav.

• Coinbase CTF for ETHDenver 2023 — Riddle Bounty by StErMi.

• Ghosts of Epochs Past allows one to replay past Secureum races.

• Solving Curta CTF Sudoku using Halmos by karma.

Media

• CPSC 5910 - Blockchain Security - Winter 2022 course by Christian Siefert (Forta).

• Common Zero-Knowledge Proof Vulnerabilities by D-Squared.

• ETHDenver Blockchain Security Talks:

  • 2 years and 200 audits later: DAO learnings from building Code4rena with Sock.

  • Bug Patterns in Solidity and Smart Contract Auditing by Yannis Smaragdakis.

  • Security - Today and Tomorrow with Ronghui Gu.

  • DeFi Risk: How to Secure Your Protocol with Blockchain Simulations by Omer Goldberg.

  • Pyrometer: a next-gen solidity security tool with Brock Elmore.

  • Future of Threat Prevention - We can detect exploits, but how do we stop them? by Andrew Beal.

  • Security: The Make or Break For Transitioning from Web2 to Web3 by Shahar Madar.

  • Bridges: how not to hack up everything with Alex Shevchenko.

  • MEV Past, Present, and Future by Joey Zacherl.

  • How to win MEV and trades on ethereum post merge with Eyal Markovich.

  • Cypherpunk Beginnings and the Case for Proof of Work with Bob Summerwill.

  • Web3 Security for Everyone - A new Prospect from the user's angle with Eskil Xu.

  • How to stop your wallet from collecting your personal data: Enabling the Nym Mixnet with Metamask with Harry Halpin.

  • A privacy layer for Web3: Unlock the potential of Web3 with the Oasis Privacy Layer with Nick Hynes.

  • How to Stop Crypto Scams from impacting your Community and Users with Nikita Varabei.

Research

• Rebasing token attack thread by Daniel Von Fange.

• Demystifying Exploitable Bugs in Smart Contracts dataset.

• Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears – Kudelski Security Research by Nils Amiet (Kudelski Security).

• EVM Part I: The ABCs of Ethereum Virtual Machine by Md Zaryab Afser.

• EVM Part II: The Journey of Smart Contracts from Solidity code to Bytecode by Md Zaryab Afser.

• Integrating Halmos with Foundry tests by Zach Obront.

• Multi-block MEV.

• L2BEAT is a database of Ethereum L2s and their security properties.

Tools

• Echnida 2.1.0 introduces on-chain fuzzing.

• zkPoEX is a ZK vulnerability disclosure PoC by Raz0r.

• tx2uml 1.1.11 introduces value transfer diagrams.

• Token Tester - discover potential vulnerabilities and incompatibilities when interfacing with generic ERC20s.

• turbopoc - Turbocharged multichain smart contract POC template generation from the command line. This is more advanced, yet more complicated fork of great quickpoc tool.

• Cookbook - search for smart contract or project source code.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content

Indicators

PeopleDAO Attackers

Ethereum: 0x6e5cc01c94ffab8a1db9e70a8cac19767f239443