BlockThreat - Week 11, 2023
Euler | General Bytes | Poolz | ParaSpace | ChipMixer | MyAlgo
That was one crazy week for DeFi protocols, blockchains, and even a crypto ATM service. Where to begin? Euler $197M compromise puts it in a list of top 10 hacks of all times. An unfortunate introduction of unaudited code resulted in attackers methodically emptying its pools. Things got wild after attackers started sending ETH and getting a response from North Korean hackers involved in the Ronin hack. If reading a lecture in North Korea gets one a five year prison sentence, you can only imagine repercussions for sending $170K to a known threat actor group. I hope this obvious red herring attempt was worth it.
General Bytes, a maker of crypto ATM machines, that got so thoroughly hacked that they are now shutting down their cloud service offering. Poolz got hit with a now rare integer overflow exploit while ParaSpace narrowly avoided a $5M hack if not for attacker messing up transaction gas fees allowing BlockSec to rescue funds at risk!
Indicators for attackers involved in all of these hacks are in the Premium section below.
On the more positive side, ChipMixer has been shut down. End of an era! Multiple UTXO chains and Geth had to patch DoS vulnerabilities luckily without any asset losses.
Let’s dive into the news, but first a word from our sponsors Chainalysis!
The 2023 Crypto Crime Report is here!
Inside you’ll find 100+ pages of original data, research, and case studies on the most pressing topics in cryptocurrency-based crime, including:
Why 2022 set records for crypto hacking
How sanctions on Hydra, Tornado Cash, and others impacted the crypto crime ecosystem
The latest crypto money laundering tactics employed by cybercriminals
What crypto winter means for scammers
How cybersecurity enhancements have hurt ransomware attackers
Cybercriminals' crypto platform ChipMixer seized in international operation involving Interpol and DoJ.
MyAlgo issued preliminary findings for incident involving a large number of its web users pointing to CDN exploitation as the root cause of seed phrase and password compromise.
Plaintiff Wins Case Against Hackers After Serving Court Papers via NFT.
Indexed Finance hacker, Andean Medjedovic, has surfaced leading a nomadic lifestyle as a fugitive traveling around Europe.
Christopher Emms, the British crypto entrepreneur who fled FBI, now works for Russian state media RT following previous arrest rumors in Russia.
‘Circle Swap’ scam exploits USDC depeg fears, drains ether from wallets.
FBI warns of spike in ‘pig butchering’ crypto investment schemes.
The Rug Pull Report by CertiK.
All-Crypto-Wallet-Drainer-MetamaskUpdate wallet drainer by Cronos1402.
On March 13, 2023 Euler lost $197M due to a liquidation reward manipulation vulnerability. The exploit transaction was initially front-run by an MEV bot, but the hard-coded address only benefitted the attacker. Things got really wild when the attacker first sent 100 ETH to a random on-chain beggar and later sent 100 ETH to the Ronin Bridge exploiter address which in turn replied with an encrypted message which some suspect was to phish but more likely to just thank or even recruit the bad actor, Cuckoo’s Egg style. Euler attacker has since returned 3000 ETH back to Euler and continues communicating with Euler to send back what is not theirs to keep.
On March 15, 2023 Poolz Finance lost $650K in an integer overflow exploit.
On March 16, 2023 ParaSpace was unsuccessfully targeted with a reward manipulation exploit. BlockSec was able to detect attacker’s attempts and performed the attack themselves rescuing $5M in assets. On the fun side, the attacker reached out to BlockSec trying to recoup their gas expenses.
On March 17, 2023 General Bytes BATM management platform was compromised to take over individual ATM machines and to steal $1.8M.
BitGo Wallet Zero Proof Vulnerability by Fireblocks.
Geth patched a DoS vulnerability first discovered on Goerli Testnet.
Halborn discovered a DoS and an authenticated remote code execution vulnerabilities in node software on a number of UTXO chains including Litecoin, ZCash, Doge, and others.
Deanonymizing OpenSea NFT Owners via Cross-Site Search Vulnerability.
Secret Network fixed privacy vulnerabilities in SNIP-20 tokens.
Kava Labs patched a bug that could allow unexpected liquidations.
Incorrect Function visibility leads to the Stealing of Betverse ICO Tokens.
First-known Dero cryptojacking operation seen targeting Kubernetes.
Attackers are starting to target .NET developers with malicious-code NuGet packages by JFrog.
Peeking at Reaper’s surveillance operations by Sekoia surveys APT37 (Reaper) C2 operation used in cyberespionage campaigns.
Web3 interview and audit process with Patrick Collins and Tincho.
Optimal Front Running Attacks & How to Stop Them by Max Resnick.
Blockchain Hacking Techniques 2022 by OpenZeppelin.
Metamorphic Smart Contracts: Is EVM Code Truly Immutable? by MixBytes.
The Auction Grinding Attack and a case for a liquidation penalty in dai.
Reassessing USDC Risks by Gauntlet.
Hitchhiker’s Guide to Security with Emiliano Bonassi.
Recreating Kubz NFT Hack and understanding what went wrong by BuildBear.
Ethereum Virtual Machine Language Design by jtriley.
ABI Encoding Deep Dive by ljmanini.
Cross-Contract Reentrancy explained by PsuedoPandit.
Understanding Block Timestamp Manipulation by NeptuneMutual.
Known problems of ERC-20 token standard by Dexaran.
ZKP Series: Principles and Implementation of Extensibility Attacks on Groth16 Proofs by SlowMist.
Encrypted Mempools by Jon Charbonneau.
Pyrometer - security tool using a mix of symbolic execution, abstract interpretation, and static analysis.
Immunefi PoC Templates implemented in Foundry.
Paradigm Data Portal - public crypto datasets for researchers and tool builders.
Phalcon introduces a debugging feature.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
General Bytes Attackers
Ethereum Classic: 0x8a9344be2ba8deaa2862eab0aab20c7cc36c432a
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.