Greetings!

At least $1.3m were stolen this week from various DeFi projects, vulnerable wallets, phished users, and more. Price oracle manipulation rings again and again as the primary root cause for most of these hacks. What’s causing protocol designers to miss this vulnerability? Is it deficiencies in the software development process, tools, education? Sounds like a great vulnerability class to focus on for defenders.

Trust wallet browser extension was found vulnerable to a weak key entropy vulnerability. Stop reading the newsletter and check if you are vulnerable here! Is this related to the infamous $4m heist in a hotel lobby in Rome?

Let’s dive into the news! Oh and be sure to check out Coinbase Unit 0x Team’s latest deep dive analysis into the Euler compromise in the research section below.

Events

• Ingonyama CTF - Players and teams will be challenged in their knowledge of ZK cryptography, hacking skills and problem solving.

News

• Green light to new rules for tracing transfers in the EU.

• Unknown Exploit Drained $10 Million From Crypto Wallets Since December.

• Safemoon Hacker Strikes Deal With Developers to Return $7.1M.

• CoinJoin service will censor certain Bitcoin UTXOs.

• Subway-themed trading bot makes millions using ‘sandwich’ attacks.

Crime

• Thodex CEO arrested in Turkey after 2 years on the run.

• Ryuk Ransomware Gang’s Crypto Broker Gets Light Sentence After a Guilty Plea.

• Men dressed as workers used zip ties on Durham seniors, stole cryptocurrency.

Scams

• Beware of WalletConnect Phishing Risks in Web3 Wallets by SlowMist.

• Reports of a new transaction pollution attack on EVM chains by Tal Be’ery.

• Mad Labs employed a honeypot to lure NFT minting bots.

Hacks

• On April 17, 2023 DeFiGeek Japan was hit with a price oracle manipulation exploit resulting in the loss of $20k.

• On April 19, 2023 OceanLife lost $11k in a price oracle manipulation exploit.

• On April 19, 2023 Tales of Elleria lost $280k due to private key theft.

• On April 20, 2023 Unlock Protocol lost $35k due to faulty function access control.

• On April 20, 2023 Elastic BNB lost $10k due to a price oracle manipulation exploit.

• On April 22, 2023 Trust Wallet announced a weak key generation vulnerability in its browser extension which was already used to steal $170k.

• On April 23, 2023 FilDA lost $700k due to a price oracle manipulation exploit. About $400k have since been returned and/or recovered.

• On April 23, 2023 KuCoin’s Twitter account was compromised and used in a phishing campaign.

• On April 23, 2023 UniSat Wallet experienced a double spend attack due to a vulnerability in its BRC-20 protocol.

Vulnerabilities

• KyberSwap announced potential vulnerability and advised LPs to withdraw.

• Alchemist patched an access control vulnerability thanks to a responsible disclosure by Dacian.

• Klayn patched DoS and remote code execution vulnerabilities in their nodes’ RPC interfaces thanks to a responsible disclosure by ChainLight.

• Blur NFT platform bug allows old bids to be accepted.

Malware

• Chameleon: A New Android Malware Spotted In The Wild by Cyble mimics banking and crypto apps.

• Threat Actors Rapidly Adopt Web3 IPFS Technology by Unit 42.

Contests

• Solidity Riddles by RareSkills.

• Security Challenges Factory for Starknet.

Media

• Live Audit - Key Finance - Episode 1 2 3 4 with Owen Thurm.

• OpenSense - Research, Together.

Research

• Euler Compromise Investigation - Part 1 - The Exploit by Heidi Wilder, Peter Kacherginsky, Anto Joseph.

• Euler Compromise Investigation - Part 2 - The Redemption by Heidi Wilder, Peter Kacherginsky, Anto Joseph.

• Benchmarking Smart-Contract Fuzzers by Valentin Wustholz.

• Equivocation attacks in mev-boost and ePBS.

• Security Concerns for Zero-Knowledge Proofs in Blockchain: A Comprehensive Guide by Numen.

• Smart Learning to Find Dumb Contracts.

• Schooling to Exploit Foolish Contracts.

• Understanding Rug Pulls: An In-Depth Behavioral Analysis of Fraudulent NFT Creators.

• Advanced Security Threat Modelling for Blockchain-Based FinTech Applications.

• Delay Impact on Stubborn Mining Attack Severity in Imperfect Bitcoin Network.

• The 7 Deadly Sins of Lending Protocols by Nick Ruck.

• Solidity Smart Contract Attack Vectors by Quillhash.

• Fuzzing Smart Contracts Yields this Research Team $100K+ in Bounties.

Tools

• Announcing Smart Contract Fiesta: A Treasure Trove of Ethereum Smart Contracts by Zellic.

• Profanity Brute-force - a tool to exploit a profanity hack and reconstruct a private key from a wallet that was generated using Profanity.

• Slitherin a collection of Slither detection by Pessimistic.io team.

• ItyFuzz - Fast hybrid fuzzer for EVM, MoveVM (WIP), etc.

• Daedaluzz is a tool for automatically generating benchmarks for smart-contract fuzzers.

• Zeromev API allows you to get transaction level MEV summary data for the Ethereum blockchain.

• DethCode - view source deployed Etherem smart contracts in VS Code.

• ZeroSeeker is a Rust-based command-line utility that generates Ethereum contract addresses with a specified number of leading or total zero bytes.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content