Greetings!

Just a few incidents this week with less than $500K in losses. Let’s dive into some of the more notable hacks, but first a note from our sponsors Audit Wizard! With tools like AI-generated PoCs, rapid Foundry testing, code graphing, function tracing this all-in-one smart-contract security platform can really supercharge your auditing powers. Check it out!

Audit Wizard enables developers and auditors to find bugs in smart contracts. Import a project to scan for vulnerabilities, visualize functions, chat with AI about security concerns, and more.

Built by security engineers, Audit Wizard is an easy, one-click solution for finding bugs in web3 code. Sign up for free here!

FixedFloat exploited again. According to them it was the same bad actor from the February hack which targeted their 3rd party dependency. There is a reason why APTs have the persistent component. It can be hard to dissuade the same bad actor from further attack, especially if they gained the initial foothold, collected credentials and insider knowledge before. Furthermore, a single compromise creates a global signal to other malicious entities to take a deeper look at your project as well. This is why out of 1000+ incidents recorded since the newsletter started 14% involved the same project multiple times. Here are just some stats affecting DeFi projects:

Project Incident Count Total Losses

SushiSwap 8 $7M
Curve 7 $93M
Multichain 7 $239M
OpenSea 6 $4M
Indexed 4 $16M
Finance

Things are even worse on the CeFi side as their web2 heavy infrastructure is targeted frequently, but compromises are not always publicly visible.

The premium version of the newsletter includes additional coverage and indicators for Open Leverage, ATM Token, and other compromises.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!