Greetings!

It’s been a busy week. More than $21m were stolen from various DeFi projects due to all too familiar price oracle manipulation, reentrancy, and even a rare misconfiguration vulnerabilities. The latter was used to exploit a really old Yearn contract with a vulnerability sitting there for many years. Who and why keeps a balance in all of these old contracts? Interestingly two of the hacks were related to Compound protocol forks which is known to be particularly deadly if not careful.

The alarming trend of centralized exchange compromises continued as well with the $23m Bitrue hotwallet hack. The last time we had back to back incidents like this was back in November 2022 with Deribit and FTX hacks. Let’s hope the trend ends there.

Detailed indicators for all the above hacks are in the premium section below.

Oh and I hope you are not too tired of crypto phishing emails. Consensys just announced a leak of metamask user support tickets so get ready for the next wave.

Stay safe folks! Let’s dive into the news.

News

• The Web3 Security Quarterly Report for Q1 2023 by CertiK.

• The U.S. Cracked a $3.4 Billion Crypto Heist—and Bitcoin’s Anonymity.

• FTX's Cybersecurity Was Hilariously Bad.

Scams

• Etherscan Reconfigures Blockchain Explorer Settings to Filter Out Potential Scams.

• Twitter support social engineered to take over zkSync account.

• Scammers create news of compromises to direct users to a fake revoke cash site.

Hacks

• On April 4, 2023 Sentiment lost $1m due to a read-only reentrancy exploit. The attacker returned 90% of funds following on-chain negotiation.

• On April 11, 2023 Paribus lost $100k due to a known reentrancy vulnerability forked from an older Compound fork.

• On April 11, 2023 Metapoint lost $920k due to an access control vulnerability.

• On April 13, 2023 Yearn Finance lost $11.6m due to a misconfiguration in a deprecated contract which still held a sizable balance.

• On April 14, 2023 Bitrue Exchange lost $23m likely due to a hotwallet compromise.

• On April 14, 2023 Consensys shared news of a leak concerning Metamask customer support tickets.

• On April 15, 2023 Hundred Finance lost $7m due to a price oracle manipulation unique to empty Compound-like protocols.

• On April 15, 2023 0x0 Audits lost 18k in a price oracle manipulation exploit.

• On April 16, 2023 Swapos lost $467k by incorrectly calculating k-value.

Vulnerabilities

• Stealing Gas: Bypassing Ethermint Ante Handlers by Felix Wilhelm (Jump)

• Software wallets research series: EIP-712 implementation issue impacting 40+ vendors by Matias Sequeria (Coinspect).

• Critical bugs in Facebook/Polygon Winterfell library by Google Project Zero.

• Gnosis deployed a hard fork to fix a reentrancy issue in a smart contract.

Contests

• Cairo 1.0 Starknet Security Challenge by devnet0x

Media

• Fuzz & Invariant Tests - The secret to finding CRITICAL vulnerabilities faster by Patrick Collins.

• Whats ABI? with Shazow (Spearbit).

Research

• EF/CF: High Performance Smart Contract Fuzzing for Exploit Generation.

• How HYDN Rescued $600k Worth of User Funds For SushiSwap.

• Hacking an Ethereum Node (really) by TrustChain.

• Digging into Compound by bytes032.

• Uniswap V2 — DeFi Protocol explained from its code by Bloqarl.

• DeFi Lending Concepts Part 1: Lending and Borrowing by Tal.

• DeFi Lending Concepts Part 2: Liquidations by Tal.

Tools

• Dedaub decompiles to Yul for hard to decompile smart contracts.

• MEV Blocker protects from frontrunning and sandwich attacks.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content