BlockThreat - Week 16, 2023
Trust Wallet | FilDA | Tales of Elleria | KuCoin | KyberSwap | Blur
At least $1.3m were stolen this week from various DeFi projects, vulnerable wallets, phished users, and more. Price oracle manipulation rings again and again as the primary root cause for most of these hacks. What’s causing protocol designers to miss this vulnerability? Is it deficiencies in the software development process, tools, education? Sounds like a great vulnerability class to focus on for defenders.
Trust wallet browser extension was found vulnerable to a weak key entropy vulnerability. Stop reading the newsletter and check if you are vulnerable here! Is this related to the infamous $4m heist in a hotel lobby in Rome?
Let’s dive into the news! Oh and be sure to check out Coinbase Unit 0x Team’s latest deep dive analysis into the Euler compromise in the research section below.
Ingonyama CTF - Players and teams will be challenged in their knowledge of ZK cryptography, hacking skills and problem solving.
Reports of a new transaction pollution attack on EVM chains by Tal Be’ery.
On April 17, 2023 DeFiGeek Japan was hit with a price oracle manipulation exploit resulting in the loss of $20k.
On April 19, 2023 OceanLife lost $11k in a price oracle manipulation exploit.
On April 19, 2023 Tales of Elleria lost $280k due to private key theft.
On April 20, 2023 Unlock Protocol lost $35k due to faulty function access control.
On April 20, 2023 Elastic BNB lost $10k due to a price oracle manipulation exploit.
On April 23, 2023 KuCoin’s Twitter account was compromised and used in a phishing campaign.
On April 23, 2023 UniSat Wallet experienced a double spend attack due to a vulnerability in its BRC-20 protocol.
Alchemist patched an access control vulnerability thanks to a responsible disclosure by Dacian.
Klayn patched DoS and remote code execution vulnerabilities in their nodes’ RPC interfaces thanks to a responsible disclosure by ChainLight.
Chameleon: A New Android Malware Spotted In The Wild by Cyble mimics banking and crypto apps.
Threat Actors Rapidly Adopt Web3 IPFS Technology by Unit 42.
Euler Compromise Investigation - Part 1 - The Exploit by Heidi Wilder, Peter Kacherginsky, Anto Joseph.
Euler Compromise Investigation - Part 2 - The Redemption by Heidi Wilder, Peter Kacherginsky, Anto Joseph.
Benchmarking Smart-Contract Fuzzers by Valentin Wustholz.
The 7 Deadly Sins of Lending Protocols by Nick Ruck.
Solidity Smart Contract Attack Vectors by Quillhash.
Slitherin a collection of Slither detection by Pessimistic.io team.
ItyFuzz - Fast hybrid fuzzer for EVM, MoveVM (WIP), etc.
Daedaluzz is a tool for automatically generating benchmarks for smart-contract fuzzers.
Zeromev API allows you to get transaction level MEV summary data for the Ethereum blockchain.
DethCode - view source deployed Etherem smart contracts in VS Code.
ZeroSeeker is a Rust-based command-line utility that generates Ethereum contract addresses with a specified number of leading or total zero bytes.