Greetings!

A tough week for the crypto ecosystem with almost $25M stolen across 9 incidents. Compromises were across the widest spectrum of vectors ranging from classic smart contracts weaknesses to insider threat to web2 infrastructure hacks. Let’s dive into some of the more notable hacks, but first a note from our sponsors Audit Wizard! With tools like AI-generated PoCs, rapid Foundry testing, code graphing, function tracing this all-in-one smart-contract security platform can really supercharge your auditing powers. Check it out!

Audit Wizard enables developers and auditors to find bugs in smart contracts. Import a project to scan for vulnerabilities, visualize functions, chat with AI about security concerns, and more.

Built by security engineers, Audit Wizard is an easy, one-click solution for finding bugs in web3 code. Sign up for free here!

Let’s start with the worst compromise last week that cost Curio almost $16M. Governance token holders were granted access rights to a function which could make a delegatecall to a malicious contract.

Super Sushi Samurai was hit with an ERC-404 transfer weakness we discussed in the BlockThreat - Week 7, 2024 issue. The attacker was able to drain $4.6M from the protocol. Luckily, it turned out to be a whitehat rescue to a flaw that would have been imminently exploited by bad actors.

Even more web3 users were drained this week after Layerswap’s GoDaddy DNS account was hijacked to expose them to a phishing kit.

On the bright side malicious insider who stole $900K from TICKER was thoroughly doxxed and referred to law enforcement by ZachXBT! Let’s just hope French courts don’t pull another “code is law” ruling and let this criminal walk free.

The premium version of the newsletter includes detailed exploit information, PoC code, and indicators on the incidents discussed above as well as private key theft from AirDAO, insufficient function access control from ARK, more arbitrary external call exploitation in Dolomite, competitors targeting MintDefense, and others.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Oh and be sure to check out my talk on who are the bad actors including their tactics, backgrounds, and steps you can take to defend against them.

Let’s dive into the news!

News

• Tornado Cash Dev Pertsev's $1.2B Money Laundering Allegations Detailed Ahead of Dutch Trial. Prosecution added up stolen assets from compromises such as Ronin to come up with the astronomic amount.

• UN probing 58 alleged crypto heists by North Korea worth $3 billion.

• Hardware-level Apple Silicon vulnerability can leak cryptographic keys. You can learn more about the GoFeth attack here.

• Mastercard-owned CipherTrace tells clients it is shutting down key products.

Crime

• Do Kwon Released From Montenegrin Prison on Bail; Terraform Labs' Civil Trial Begins in NYC.

• LAPD Recovers $6.9 Million Worth of Stolen Bitcoin Mining Rigs, Suspects in Custody.

• Woman found with £2bn in Bitcoin convicted of money laundering arrangement offence. On a related note, Jian Wen’s associate Zhimin Quian once had dreams of being a Buddhist goddess.

• DOJ, Secret Service Seek Forfeiture of $2.3 Million in Cryptocurrencies Tied to Pig Butchering.

• Russian arrested on Samui for allegedly robbing compatriot of ฿1.8m in Bitcoins.

• Understanding ISIS' Use Of Cryptocurrencies by TRM.

• Ransomware gang wants 15 bitcoins from ‘world’s largest’ yacht dealer.

Policy

• SEC probing crypto companies in Ethereum investigation. The news comes alongside Ethereum Foundation removing search canary from their website.

• Judge slams SEC for ‘gross abuse of power’ in crypto case, imposes sanctions.

Phishing

• Email phishing scam targeting BlockFi, FTX creditors reels in millions and counting.

• I got hacked. What did I do after? by Eesheng. In-depth analysis of the malicious Bitbucket repo used to steal Metamask mnemonic and Oauth tokens. This is the same exploit that targeted @syedasadkazmii last week.

• Attempted EtherFi X account takeover using OAuth token theft. The news comes long with a number of successful X compromises including Cointelegraph, Trezor, Gotbit, and others.

• Understanding ERC-20 Permit and Associated Risks.

Scams

• Crypto scams more costly to the US than ransomware, Feds say.

• Cryptocurrency Scams Unveiled: Insights and Prevention by SlowMist.

• Lucky Star Currency rugs again for $297K by CertiK.

Malware

• Over 170K Users Affected by Attack Using Fake Python Infrastructure by Checkmarx.

• TeamCity Flaw Leads to Surge in Ransomware, Cryptomining, and RAT Attacks.

Media

• Blockchain Threat Actors by Peter Kacherginsky. Learn about threat actor identities and techniques used to target DeFi protocols as well as defenses and response capabilities one must build to fight them.

Contests

• Ethernaut CTF 2024 Challenges and Solutions.

Research

• My Hitchhiker's Guide to Security by Emiliano Bonassi.

• Assembly and Formal Verification by Cyfrin Updraft.

• Solodit Data Dive: Exposing Vulnerability Trends in Audit Reports by w1x0m.

• Immunefi bugfix archive.

• Patching reentrancy in ERC-4626 vault by Hoshiyari.

• Lending protocol exploitation pattern based on rounding errors by Kankodu.

• Discovering and Fixing a Critical Vulnerability in Polygon zkEVM by Verichains.

• Bug report of Tectonic (Cronos) reentrancy to mint tokens at 100x actual rate by 0xDjango. Also described in this thread.

• Swimming Safely In The Public Mempool: MEV Smart Contract Obfuscation Techniques by DeGatchi.

• Why fuzzing over formal verification? by Trail of Bits.

• Implementing stateful invariant testing with Halmos by Antonio Viggiano.

• Blockchain reorgs for Managers and Auditors by ABA.

• Discouragement attacks against centralized validator sets by thefett.

• A Hitchhiker's Guide to Solana Program Security by 0xlchigo (Helius).

• Large Language Models for Blockchain Security: A Systematic Literature Review.

• Unveiling Huff campaign on Node Guardians.

• DeFi Risk Assessment Guidelines by Enterprise Ethereum Alliance.

• Blockchain dark forest selfguard handbook by SlowMist.

• Everything you need to know to start with EigenLayer by Oleg Bobrov (Pessimistic Security).

Tools

• Releasing the Attacknet: A new tool for finding bugs in blockchain nodes using chaos testing by Trail of Bits.

• Read code like a pro with our weAudit VSCode extension by Trail of Bits.

• Daily Glider repo by ustas.eth has queries, tips, and guides on the Glider security research tool.

• Configuring foundry for account impersonation by banteg.

• Smart Contract Auditor Tools and Techniques by shanzson.

• ethernaut-cli - an ai agent that is given access to web3 actions.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content