Hello friends!

That was one crazy week for DeFi protocols, blockchains, and even a crypto ATM service. Where to begin? Euler $197M compromise puts it in a list of top 10 hacks of all times. An unfortunate introduction of unaudited code resulted in attackers methodically emptying its pools. Things got wild after attackers started sending ETH and getting a response from North Korean hackers involved in the Ronin hack. If reading a lecture in North Korea gets one a five year prison sentence, you can only imagine repercussions for sending $170K to a known threat actor group. I hope this obvious red herring attempt was worth it.

General Bytes, a maker of crypto ATM machines, that got so thoroughly hacked that they are now shutting down their cloud service offering. Poolz got hit with a now rare integer overflow exploit while ParaSpace narrowly avoided a $5M hack if not for attacker messing up transaction gas fees allowing BlockSec to rescue funds at risk!

Indicators for attackers involved in all of these hacks are in the Premium section below.

On the more positive side, ChipMixer has been shut down. End of an era! Multiple UTXO chains and Geth had to patch DoS vulnerabilities luckily without any asset losses.

Let’s dive into the news, but first a word from our sponsors Chainalysis!

The 2023 Crypto Crime Report is here!

Inside you’ll find 100+ pages of original data, research, and case studies on the most pressing topics in cryptocurrency-based crime, including:

• Why 2022 set records for crypto hacking

• How sanctions on Hydra, Tornado Cash, and others impacted the crypto crime ecosystem

• The latest crypto money laundering tactics employed by cybercriminals

• What crypto winter means for scammers

• How cybersecurity enhancements have hurt ransomware attackers

• And more!

Get your copy now >

News

• Cybercriminals' crypto platform ChipMixer seized in international operation involving Interpol and DoJ.

• MyAlgo issued preliminary findings for incident involving a large number of its web users pointing to CDN exploitation as the root cause of seed phrase and password compromise.

• Plaintiff Wins Case Against Hackers After Serving Court Papers via NFT.

• Indexed Finance hacker, Andean Medjedovic, has surfaced leading a nomadic lifestyle as a fugitive traveling around Europe.

• Christopher Emms, the British crypto entrepreneur who fled FBI, now works for Russian state media RT following previous arrest rumors in Russia.

Scams

• ‘Circle Swap’ scam exploits USDC depeg fears, drains ether from wallets.

• FBI warns of spike in ‘pig butchering’ crypto investment schemes.

• The Rug Pull Report by CertiK.

• All-Crypto-Wallet-Drainer-MetamaskUpdate wallet drainer by Cronos1402.

Hacks

• On March 13, 2023 Euler lost $197M due to a liquidation reward manipulation vulnerability. The exploit transaction was initially front-run by an MEV bot, but the hard-coded address only benefitted the attacker. Things got really wild when the attacker first sent 100 ETH to a random on-chain beggar and later sent 100 ETH to the Ronin Bridge exploiter address which in turn replied with an encrypted message which some suspect was to phish but more likely to just thank or even recruit the bad actor, Cuckoo’s Egg style. Euler attacker has since returned 3000 ETH back to Euler and continues communicating with Euler to send back what is not theirs to keep.

• On March 15, 2023 Poolz Finance lost $650K in an integer overflow exploit.

• On March 16, 2023 ParaSpace was unsuccessfully targeted with a reward manipulation exploit. BlockSec was able to detect attacker’s attempts and performed the attack themselves rescuing $5M in assets. On the fun side, the attacker reached out to BlockSec trying to recoup their gas expenses.

• On March 17, 2023 General Bytes BATM management platform was compromised to take over individual ATM machines and to steal $1.8M.

Vulnerabilities

• BitGo Wallet Zero Proof Vulnerability by Fireblocks.

• Geth patched a DoS vulnerability first discovered on Goerli Testnet.

• Halborn discovered a DoS and an authenticated remote code execution vulnerabilities in node software on a number of UTXO chains including Litecoin, ZCash, Doge, and others.

• Deanonymizing OpenSea NFT Owners via Cross-Site Search Vulnerability.

• Secret Network fixed privacy vulnerabilities in SNIP-20 tokens.

• Kava Labs patched a bug that could allow unexpected liquidations.

• Incorrect Function visibility leads to the Stealing of Betverse ICO Tokens.

Malware

• First-known Dero cryptojacking operation seen targeting Kubernetes.

• Attackers are starting to target .NET developers with malicious-code NuGet packages by JFrog.

• Peeking at Reaper’s surveillance operations by Sekoia surveys APT37 (Reaper) C2 operation used in cyberespionage campaigns.

Media

• Web3 interview and audit process with Patrick Collins and Tincho.

• Optimal Front Running Attacks & How to Stop Them by Max Resnick.

• NEAR Smart Contract Security Course by Timur Guvenkaya.

• $100M+ Crypto Hacks :A History of Black Hat Web3 Tactics.

Research

• Blockchain Hacking Techniques 2022 by OpenZeppelin.

• Metamorphic Smart Contracts: Is EVM Code Truly Immutable? by MixBytes.

• The Auction Grinding Attack and a case for a liquidation penalty in dai.

• Reassessing USDC Risks by Gauntlet.

• Hitchhiker’s Guide to Security with Emiliano Bonassi.

• Recreating Kubz NFT Hack and understanding what went wrong by BuildBear.

• Ethereum Virtual Machine Language Design by jtriley.

• ABI Encoding Deep Dive by ljmanini.

• Cross-Contract Reentrancy explained by PsuedoPandit.

• Understanding Block Timestamp Manipulation by NeptuneMutual.

• Known problems of ERC-20 token standard by Dexaran.

• ZKP Series: Principles and Implementation of Extensibility Attacks on Groth16 Proofs by SlowMist.

• Introduction to Zero-Knowledge Proof Part 4 by Numen.

• Security of Blockchains at Capacity.

• Encrypted Mempools by Jon Charbonneau.

Tools

• Pyrometer - security tool using a mix of symbolic execution, abstract interpretation, and static analysis.

• Immunefi PoC Templates implemented in Foundry.

• Paradigm Data Portal - public crypto datasets for researchers and tool builders.

• Phalcon introduces a debugging feature.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content

Indicators

ParaSpace Attackers

Ethereum: 0xc1810fb104681d0fba5ddc454ff7f2fd4eb19233
Ethereum: 0x21b7a2c0f7c0c29c0bbc55f5620dc797c29c46b3

General Bytes Attackers

Bitcoin: bc1qfa8pryacrjuzp9287zc2ufz5n0hdthff0av440
Ethereum: 0x3d1451bf188511ea3e1cfdf45288fd53b16fe17e
Ethereum: 0x7a0e7d41658f409c11288e0a2988406f2186a474
Ethereum: 0xd5173d215551538cebe79c4e40a4c54fb751dd83
Ethereum: 0xae0ac391b8361b5fc1af657703779886a7898497
Ethereum Classic: 0x8a9344be2ba8deaa2862eab0aab20c7cc36c432a
Dash: Xi4GstuqKFTRo3WB6gFpPnB6jiWtLSHJDj
DigiByte: dgb1qgea3hzw62zl6req06k708swtv5xc53sdp85jzn
Doge: DN1bKoV7BbuYBeysnYNT8EFj8BGTSeyLCc
Litecoin: ltc1qvd5usunrpgsynyeey9n46xucy7emk62ycljl0t
Elrond: erd1w7n54rlzrxe6jl8xpmh0de4g9jhc028zeppsjdme9g45gsnhw53s4vhgsg
Groestlcoin: grs1qhckdwm8dqt8pfdu2d6e649qs5jrqn6sslzlyhw
Viacoin: via1quynq6wweqz0pk9wygv82qg83tk5zu47yqweht5
Ripple: rDkoXVLChaDvc8SHFoTNZEDzcbtFNwF977
Tron: TDjFvfcysNGaxnX7pzpvC6xfSmCC5u8qgr
Nano: nano_1rrqx4esqbfuci7whzkzms7u4kib8ojcnkaokceh9fbr79sa4a36pmqgnxd4