Greetings!

Almost $12M were stolen across six DeFi compromises to very common vulnerability classes including an emerging one we discussed last week. We have a lots of critical lessons to discuss, but first a quick note from our sponsors!

This week’s edition was sponsored by Pashov Audit Group! Pashov inspired the solo-auditor movement with high quality reports which challenged larger organizations. His research was also featured numerous times on BlockThreat. All of this makes his team’s capabilities that much more exciting. Check them out for your next audit!

Product-market-fit is hard. Not getting hacked is harder. Audits are not silver bullets, but a good one drastically decreases the chances of a successful attack. An "internal review" by your developers is not an audit. Even worse, whale users hate using code that's not secure.

In Pashov Audit Group we know for a fact that we can help you secure your code in a painless, high-quality and express manner. We are looking for established projects who invest in security and are looking for the highest quality security partner.

We still have a couple of slots available over the next couple of months. Reach out for security help - https://pashov.net/

Last week we talked about the rise in exploits taking advantage of arbitrary external calls in contracts. Unfortunately, this flaw cost Unizen’s users $2.6M. Just as in previous such attacks, the initial exploit attracted copycats which for hours were going through all of the users’ approvals and draining their wallets. In a typical degen fashion one of the exploiters briefly created a liquidity pair with a newly minted Yoink coin most likely to rug on potential investors. A whitehat rescue to save some of the vulnerable funds on Polygon was also foiled by bloXroute’s RPC which sparked a bidding war among MEV bots including the KyberSwap exploiter. This makes the Unizen hack an unfortunate case study of multiple security controls (code audit, monitoring, response, recovery, etc.) with its users suffering the consequences.

Ethereum Dencun upgrade will go live next week. The upgrade implements EIP-6780 which disables SELFDESTRUCT opcode’s ability to delete contract state. This change effectively disables the ability to redeploy contracts to create metamorphic contracts, a technique known as “Wild Magic” which was abused in last year’s Tornado Cash governance exploit to steal $3.2M. SELFDESTRUCT can still be used to force send ETH so your exploits and Ethernaut - Level 7 will continue working for now.

WooFi experienced a second hack this year with much greater consequences. The pause function was executed at 15:56:12 just 14 minutes after the first exploit transaction which is a fantastic response time. Unfortunately, three exploit transactions still executed. The incident response team is going through the usual “whitehat” negotiation, but it sounds like they may have a good lead. In the meantime, the attacker bridged stolen funds to Ethereum and holds them here.

Strike, Bitcoin LN payment provider, customer database dump showed up for sale on breachforums. Even with its founder denying any compromises, this was something we expected to happen sooner or later since the compromise in October, 2023. Get ready for more targeted phishing emails!

The premium version of the newsletter includes detailed exploit information, PoC code, and indicators on the incidents discussed above as well as GHT, TGBS, Juice Bot, and others.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

Events

• DeFi Security Summit 2024, November 7-9 in Bangkok, Thailand.

News

• Top 10 Blockchain Hacking Techniques 2023 by OpenZeppelin.

• Internet Crime Report 2023 by FBI points to a billion dollar rise in crypto investment fraud. The number is likely to explode as we enter the bull market.

• Incognito Darknet Market Mass-Extorts Buyers, Sellers.

Crime

• Las Vegas Man Convicted at Trial of Money Laundering and Fraud After Using Crypto to Launder Illicit Cartel Proceeds by TRM.

• Founders of $400 Million Cryptocurrency Ponzi Scheme Arrested in Argentina.

Phishing

• $104 million in crypto lost to phishing incidents within two months of 2024.

• Wallet Drainer Exploits Numerical Address Bypass Security Alerts by ScamSniffer.

• Unraveling the Sophisticated Phishing Scheme Behind Fake Google Ads by SlowMist.

• Crime Incorporated: CryptoGrab's UK Business Registration by CertiK.

• Sherlock’s X account compromised to spread a phishing link.

Scams

• Human trafficking victim says he was forced to target Canadians in crypto investment scam.

Malware

• Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence by Cado. Compromised services are used for crypto mining.

Research

• Smart Contract Auditing Tools Reviewed: Pros, Cons, And The Need For Manual Checks by Saylık Seher and Malanii Oleh (Hacken)

• EVM notes by Chinmay Farkya is a massive repository of technical notes aimed at security researchers and reverse engineers.

• SoK: Cross-Chain Bridging Architectural Design Flaws and Mitigations.

• Characterizing Ethereum Upgradable Smart Contracts and Their Security Implications.

• ZK Bug Tracker by 0xPARC.

Tools

• Smart Contract VulnDB by tintinweb. An open dataset containing smart contract audit issues from various sources.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content