Greetings!

Never a dull week in blockchain security! More than $3.6M were stolen this week across 11 incidents, renewed enforcement actions targeting privacy tech, SEC fines exceeding GDPs of small island nations, and latest news on phishing campaigns. We have a lot to discuss, but first a quick note from our sponsor Cyfrin!

Cyfrin is dedicated to helping scale smart contract security. Protocols looking for a private audit should reach out, but additionally, the team works on tools and platforms to scale security throughout the industry. 

Cyfrin Updraft has the most watched smart contract development and security curriculum on earth. Cyfrin CodeHawks is the competitive audit platform for web3, for everyone from the started security researchers to the top bug hunting masters. Solodit is the audit report aggregator to help you learn the top attack vectors being reported today. Aderyn is the open-sourced rust-based static analyzer to help automatically detect bugs in your solidity codebase. 

A concerning rise in exploits caused by incomplete contract initialization. As contract complexity and configurability grow it is critical not to forget settings which may allow attackers to steal funds. Three different projects were compromised all with unique conditions which triggered the bug:

• Ember Swords contracts never fully initialized allowing attackers to take ownership and steal approved funds. $195K lost.

• NGFS token forgot to initialize one critical variable allowing attackers to set it to the address they control. $190K lost.

• Next week’s Pike Finance emergency upgrade following an earlier compromise caused storage misalignment and reset the initialized variable. Attackers took over contract ownership and performed a malicious upgrade. $1.6M lost.

PSA: Please review your smart contracts and deployment scripts to ensure all initializable settings are set, immutable, and properly protected.

Next wave of enforcement actions targeting privacy tech. This time Samorai wallet developers were arrested and charged with money laundering. Wasabi and other wallets with privacy features are exiting U.S. market or shutting down altogether. Could there be a happy medium of preventing large laundering operations while allowing regular folks to protect their on-chain privacy? So paraphrasing Louis L'Amour’s famous words:

when on-chain privacy is outlawed only the outlaws will have on-chain privacy.

In other news, Nigeria continues throwing the book at Tigran Gambaryan, Binance’s head of compliance, holding him solely responsible for the laundering of $35.4M including charges from his Kenyan colleague who literally bribed his way out of prison. Things became a bit more clear on what’s going on following one official’s demand of a $10B fine as well as a more in-depth timeline of events which mentions “unknown persons who suggested to them to make a payment in settlement of the allegations” following a meeting with Nigerian officials. Bribery is a norm in some parts of the world, but no one wants the repeat of the FTX Chinese bribe fiasco so this route was a no go. A month later, Tigran was invited to a “friendly” meeting in Nigeria and promptly arrested which just happened to be a few weeks after the record $4.3B settlement with U.S government in February.

The premium version of the newsletter includes additional coverage, PoCs, indicators for the hacks mentioned above as well as xBridge, xBank, Yiedl, NGFS, Z123, Ember Sword, Magpie, and other compromises.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!