Greetings!

Just a few incidents this week with less than $500K in losses. Let’s dive into some of the more notable hacks, but first a note from our sponsors Audit Wizard! With tools like AI-generated PoCs, rapid Foundry testing, code graphing, function tracing this all-in-one smart-contract security platform can really supercharge your auditing powers. Check it out!

Audit Wizard enables developers and auditors to find bugs in smart contracts. Import a project to scan for vulnerabilities, visualize functions, chat with AI about security concerns, and more.

Built by security engineers, Audit Wizard is an easy, one-click solution for finding bugs in web3 code. Sign up for free here!

FixedFloat exploited again. According to them it was the same bad actor from the February hack which targeted their 3rd party dependency. There is a reason why APTs have the persistent component. It can be hard to dissuade the same bad actor from further attack, especially if they gained the initial foothold, collected credentials and insider knowledge before. Furthermore, a single compromise creates a global signal to other malicious entities to take a deeper look at your project as well. This is why out of 1000+ incidents recorded since the newsletter started 14% involved the same project multiple times. Here are just some stats affecting DeFi projects:

Project Incident Count Total Losses

SushiSwap 8 $7M
Curve 7 $93M
Multichain 7 $239M
OpenSea 6 $4M
Indexed 4 $16M
Finance

Things are even worse on the CeFi side as their web2 heavy infrastructure is targeted frequently, but compromises are not always publicly visible.

The premium version of the newsletter includes additional coverage and indicators for Open Leverage, ATM Token, and other compromises.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

Events

• Wormhole initially included its own hacker in 670 million token airdrop.

• AT&T acknowledges data leak that hit 73 million current and former users.

• ZachXBT Accuses IRS of Harassment, Seeking Assistance.

News

• Price of zero-day exploits rises as companies harden products against hackers. Up to $7M for iOS and $5M for Android remote exploits. With prices this high do you consider yourself important enough for someone to burn the bug?

Crime

• Terraform Labs and founder Do Kwon found liable in US civil fraud trial.

• Crypto Trader Eisenberg's $110M Fraud Trial to Put DeFi Under Microscope.

• Detained Binance Exec Pleads Not Guilty to Money Laundering Charges in Nigeria.

• OneCoin legal officer gets 4 years in prison for crypto scheme.

Policy

• Chainalysis Hires Former IRS Criminal Investigations Chief Jim Lee.

Phishing

• Google sues two developers for putting 87 fraudulent crypto apps on Google Play store.

• $71 Million Stolen Due To Phishing In March by Scam Sniffer.

• A brief analysis of Angel Drainer by Bernard Mueller.

• Hacking back against Uniswap Multicall phishers by MevRefund.

• Large-scale phishing campaign detected on Etherscan ads.

• Hackers deploy crypto drainers on thousands of WordPress sites.

• Wormhole’s Robinson Burkey’s X account compromised.

Scams

• "The Monkey Fraud": An interview with Ryder Ripps by Molly White.

Research

• Geth Out-of-Order EIP Application Denial-of-Service by iosiro. The responsibly disclosed bug was exactly what we all feared.

• How We Accidentally Discovered a DoS Attack and Received a $25K Bounty by Elad Ernst (dWallet Labs) on finding an RCE and DoS bugs in Icon.

• Generating unit tests from broken stateful invariant tests by Nican0ir and Antonio Viggiano.

• Fuzzing smart-contracts practical aspects: Echidna by Sergey Boogerwooger (MixBytes).

• NFT auction protocol audit checklist by Al-Qa’qa’.

• Detecting Financial Bots on the Ethereum Blockchain.

• Uncover the Premeditated Attacks: Detecting Exploitable Reentrancy Vulnerabilities by Identifying Attacker Contracts.

• Vulnerabilities of smart contracts and mitigation schemes: A Comprehensive Survey.

• Eclipse Attack Detection on a Blockchain Network as a Non-Parametric Change Detection Problem.

Tools

• Mempool Dumpster.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content