BlockThreat - Week 16, 2022
NBA | Zeed | AkuDreams | ENS | AAVE | Java
We finally have a relatively calm week with just a few low value hacks and plenty of good news. For one last week hosted a number of fantastic talks at Trust X, a dedicated Ethereum security conference out of Amsterdam. It was great to present on the state of NFT security, but also to absorb so much great content! Hope you take some time this week to recharge and sharpen the saw before the next onslaught of hacks. Oh and be sure to check out Rivaill’s amazing exploit PoC repo in the Tools section below.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to support the newsletter and unlock the premium section with indicators, special reports, and searchable newsletter archives. ENS, Solana, AAVE and other projects patched critical vulnerability thanks to a well functioning bug bounty machine.
Hackers Are Stealing More Cryptocurrency From DeFi Platforms Than Ever Before report by Chainalysis.
Ongoing phishing campaign on Terra using malicious Google Ads nets attackers $4.31M.
On April 17, 2022 2omb Finance lost $81K due to a reward manipulation vulnerability.
On April 20, 2022 The Association NFT botched its NBA mint after an attacker was able to bypass the allowlist signature verification logic.
On April 20, 2022 Zeed Community lost $1M as a result of a reward manipulation vulnerability. Interestingly, the attacker self-destructed the exploit contract before they had a chance to extract the loot.
On April 24, 2022 AkuDreams locked $34M in a series of bad contract decisions.
Oracle patched a critical vulnerability in Java’s ECDSA implementation.
Solana fixed a rounding error that could drain up to 700M in its implementation of stable swap after it was responsibly disclosed by OtterSec.
Solana patched an account impersonation vulnerability in its Anchor framework after it was responsibly disclosed by Armani Ferrante.
Aave V3’s Price Oracle Manipulation Vulnerability reported by Hackxyk.
ENS Domain Spoofing Vulnerability reported by Hackxyk.
ENS patched a null byte injection vulnerability reported by lcfr.eth.
CosmWasm patched a consensus breaking vulnerability.
Solidly Exchange patched a griefing vulnerability reported by belbix.
Collection of phishing email and messages by Taylor Monahan.
360 Threat Intelligence Center report on Lazarus Word macro spear phishing malware designed to steal cryptocurrency.
Latent Bugs in Billion-Plus Dollar Code by Dedaub on ERC777 reentrancy threats.
Web3 Security: Attack Types and Lessons Learned by Riyaz Faizullabhoy and Matt Gleason.
Big Phish by Rekt explores nation state threat actors in DeFi space.
Programming DeFi: Uniswap V2. Part 4 by Jeiwan.
Crypto Vulnerability Hub by Rivaill is a collection of PoCs for DeFi incidents.
Solidity Fuzzing Boilerplate for Foundry and Echidna by PatrickD
Terra Google Ads Phishing Address