BlockThreat - Week 14, 2022
StarStream | HospoWise | GymDefi | WonderHero | Hydra
This week attackers started getting really creative with their NFT scams. Another price manipulation exploits brings $4M profit to the evildoer, a massive crackdown on Hydra darknet market, and yet another cloud-based malware installing cryptominers. On the bright side, we’ll dive into plenty of excellent video recordings, research papers, and explore many vulnerabilities behind a number of DeFi projects.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to support the newsletter and unlock the premium section with indicators, special reports, and searchable newsletter archives.
Solana Miami event evacuated and a bomb squad called after a security risk was detected during a routine sweep.
KiwiSwap UX flaw abused to trick users into purchasing fake NFTs.
Ongoing phishing campaign using a fake approval revocation site.
Deep dive into NFT phishing campaign used to steal BAYC 3738.
Common NFT contract code contains a rugpull vulnerability.
On April 4, 2022 HospoWise lost $260K after someone took advantage of a publicly exposed burn() function to manipulate a liquidity pair.
On April 7, 2022 WonderHero lost $320K due to a private key compromise.
On April 8, 2022 StarStream Finance lost $4M due to insufficient function access controls that allowed arbitrary function execution.
On April 10, 2022 GymDeFi lost $560K as a result of a price manipulation vulnerability in its LiquidityMigrationV2 contract.
Convex Finance patched a vulnerability that could allow rugpulling of $15B in stored CRV assets after it was responsibly disclosed by OpenZeppelin.
Humble Finance identified an unknown vulnerability and asking users to remove liquidity.
FiatDAO patched a vulnerability triggered when performing reward upgrades.
Frax patched a vulnerability that could allow massive slippages after it was responsibly disclosed by Daniel Von Fange.
New malware targets lambdas to mine crypto by Cado Security.
Winners of the Underhanded Solidity Contest 2022. Congratulations Tynan Richards, Santiago Palladino, and Michael Zhu!
Cryptocurrency Class 2022 - Security of Smart Contracts with Mudit Gupta and Taylor Monahan.
Future of DeFi Security Panel at FutureFi featuring RugDoc, CertiK, and Zokyo.
Transaction obfuscation thread by Edgar Arout.
Hydra Marketplace Seizure Address