Greetings!

This was not a good week for DeFi projects out there. $48M were stolen across 7 hacks, mass phishing campaigns, $33M rugpulls, and 0days targeting essential tools. We have a lot to cover, but first a note from our sponsor Cyfrin! A whole generation of security auditors got their first bounty thanks to their hard work building free classes, tools and projects. Their contributions to the blockchain security community are immense so I hope you will consider them for your next audit, bug bounty program, or just an ever growing resource of excellent content.

Cyfrin is dedicated to helping scale smart contract security. Protocols looking for a private audit should reach out, but additionally, the team works on tools and platforms to scale security throughout the industry. 

Cyfrin Updraft has the most watched smart contract development and security curriculum on earth. Cyfrin CodeHawks is the competitive audit platform for web3, for everyone from the started security researchers to the top bug hunting masters. Solodit is the audit report aggregator to help you learn the top attack vectors being reported today. Aderyn is the open-sourced rust-based static analyzer to help automatically detect bugs in your solidity codebase. 

Let’s start with DeFi compromises. There was a really unfortunate exploit on Ethereum and Arbitrum chains of Hedgey Finance. An attacker was able to trick vulnerable contracts into approving the transfer of $44.7M worth of assets by injecting malicious parameters into an overly trusting method. Below is the vulnerable snippet:

function createLockedCampaign(
bytes16 id,
Campaign memory campaign,
ClaimLockup memory claimLockup,
Donation memory donation
) external nonReentrant {

[..snip..]

// deposit tokens TransferHelper.transferTokens(campaign.token, msg.sender, address(this), campaign.amount + donation.amount);

[..snip..]

// withdrawal approval SafeERC20.safeIncreaseAllowance(IERC20(campaign.token), donation.tokenLocker, donation.amount);

In the above snippet, callers have complete control over campaign, claimLockup, and donation structs so they can set campaign.token and donation.tokenLocker to arbitrary values (e.g. USDC, attacker controlled contract). While calling the above method the attacker transfers some amount of tokens to Hedgey which also generates an approval for the donation.amount to an arbitrary address. In one exploit transaction, the attacker borrowed $1.3M from Balancer, deposited it to Hedgey, and in return got a $1.3M approval to an address they control.

The next part is what enabled the exploit. When cancelling the campaign, the contract withdraws deposited tokens, but never revokes the approval!

function cancelCampaign(bytes16 campaignId) external nonReentrant {
Campaign memory campaign = campaigns[campaignId];
require(campaign.manager == msg.sender, '!manager');
delete campaigns[campaignId];
delete claimLockups[campaignId];

// withdraw tokens
TransferHelper.withdrawTokens(campaign.token, msg.sender, campaign.amount);
emit CampaignCancelled(campaignId);
}

The attacker simply followed up with another transaction to withdraw $1.3M held by the contract prior to the exploit. Insufficient function parameter validation exploits are painful, but have an important lesson for developers:

Assume all user controlled input is tainted and designed to disable or steal assets from your protocol. It is hot lava that will burn you without proper care!

More phishing campaigns peddling credential and private key stealers by tricking folks who are interviewing or providing advisory services.

PSA: Never download and run executables on a non-isolated machines presented to your during job interviews, business or other calls. Consider using Virtual Machines and external file scanners like VirusTotal.

Another conviction this week of a DeFi attacker - Avi Eisenberg, a 28 year old crypto trader responsible for the Mango Markets hack. A few takeaways:

• Ransom aka “whitehat” agreements have no legal power. Mango Markets noted the agreement was made under duress and pressed charges.

• DeFi compromises involve many victims which could press separate charges. Prosecution used one such victim to illustrate the broad impact of the hack.

• Decentralized and autonomous nature of DeFi markets does not prevent various government agencies from pressing civil and criminal charges for market manipulation and fraud. In fact, the DoJ case criminal case was given precedence over the civil complaint by Mango Labs.

• The government will absolutely arrest you and put you on the plane the moment you step foot in an extradition country.

• “Code is Law” argument failed in court and will result in up to 20 years in jail.

• Going on podcasts or social media after the hack will not help you.

• The case will now set the precedent for similar trials in the future.

Attackers expecting no legal repercussions by negotiating a “bounty” with just the DeFi project should also reach out to every single user to make a similar agreement. Oh and also convince SEC, CFTC, and DoJ that your actions were legal. Worst case you could prepare an expensive legal defense with five lawyers for the 12 randomly selected jurors who will sleep through your arguments and convict you anyway. Good luck!

News were going around all week about iMessenger, WhatsApp, etc. 0days for sale. This created a lot of fear in folks ready to throw away their phones while locking themselves in an RF proof safe room. The reality is that 0days are available for sale at all times. Gray markets exist that actively research and acquire exploits to unpatched vulnerabilities to be sold to interested parties (mostly government and LE entities). As vulnerabilities get patched, bounties go out to make sure there is always one available in the arsenal. Below is a sample offering from one such company where iMessenger exploits can collect $2M+ and resold to buyers for even greater amounts:

What got everyone really scared is that the iMessenger exploit was made available for purchase on a dark market by entities beyond the usual pro-Western government and LE actors.

Some questions to think of when assessing the risk of someone using an 0day on you is the likelihood. Are you really that important that someone will burn a $2.5M exploit? Is there a cheaper way to compromise you or your org with SIM swapping, spear phishing or just embedding a malicious insider? Do you really believe the dark market ad is real when there are “gray” markets ready to bid on the exploit?

If you still think that you may be the target then you should focus on building resilient security controls such as using hardware wallets, multisigs, Yubikeys, etc. A single compromised phone should not ruin your organization.

The premium version of the newsletter includes additional coverage, PoCs, indicators for the hacks mentioned above as well as Grand Base, Hackathon, Mars, and others.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!