Greetings!

Never a dull week in blockchain security! More than $3.6M were stolen this week across 11 incidents, renewed enforcement actions targeting privacy tech, SEC fines exceeding GDPs of small island nations, and latest news on phishing campaigns. We have a lot to discuss, but first a quick note from our sponsor Cyfrin!

Cyfrin is dedicated to helping scale smart contract security. Protocols looking for a private audit should reach out, but additionally, the team works on tools and platforms to scale security throughout the industry. 

Cyfrin Updraft has the most watched smart contract development and security curriculum on earth. Cyfrin CodeHawks is the competitive audit platform for web3, for everyone from the started security researchers to the top bug hunting masters. Solodit is the audit report aggregator to help you learn the top attack vectors being reported today. Aderyn is the open-sourced rust-based static analyzer to help automatically detect bugs in your solidity codebase. 

A concerning rise in exploits caused by incomplete contract initialization. As contract complexity and configurability grow it is critical not to forget settings which may allow attackers to steal funds. Three different projects were compromised all with unique conditions which triggered the bug:

• Ember Swords contracts never fully initialized allowing attackers to take ownership and steal approved funds. $195K lost.

• NGFS token forgot to initialize one critical variable allowing attackers to set it to the address they control. $190K lost.

• Next week’s Pike Finance emergency upgrade following an earlier compromise caused storage misalignment and reset the initialized variable. Attackers took over contract ownership and performed a malicious upgrade. $1.6M lost.

PSA: Please review your smart contracts and deployment scripts to ensure all initializable settings are set, immutable, and properly protected.

Next wave of enforcement actions targeting privacy tech. This time Samorai wallet developers were arrested and charged with money laundering. Wasabi and other wallets with privacy features are exiting U.S. market or shutting down altogether. Could there be a happy medium of preventing large laundering operations while allowing regular folks to protect their on-chain privacy? So paraphrasing Louis L'Amour’s famous words:

when on-chain privacy is outlawed only the outlaws will have on-chain privacy.

In other news, Nigeria continues throwing the book at Tigran Gambaryan, Binance’s head of compliance, holding him solely responsible for the laundering of $35.4M including charges from his Kenyan colleague who literally bribed his way out of prison. Things became a bit more clear on what’s going on following one official’s demand of a $10B fine as well as a more in-depth timeline of events which mentions “unknown persons who suggested to them to make a payment in settlement of the allegations” following a meeting with Nigerian officials. Bribery is a norm in some parts of the world, but no one wants the repeat of the FTX Chinese bribe fiasco so this route was a no go. A month later, Tigran was invited to a “friendly” meeting in Nigeria and promptly arrested which just happened to be a few weeks after the record $4.3B settlement with U.S government in February.

The premium version of the newsletter includes additional coverage, PoCs, indicators for the hacks mentioned above as well as xBridge, xBank, Yiedl, NGFS, Z123, Ember Sword, Magpie, and other compromises.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Wasabi Wallet-Developer Blocks U.S. Citizens and Residents After Samourai Wallet Arrests.

• Leaked Personal Info of Over 5 Million Salvadorans Apparently Linked to Chivo Wallet. The leak included partial wallet source. Salvadoran officials dismissed news of the breach.

• Lazarus Group’s favorite exploit revealed — Crypto hacks analysis.

• The company man: US glacial response to Nigeria’s detention of former IRS crypto investigator rankles federal agents.

Crime

• Samourai Wallet Founders Arrested and Charged With Money Laundering. The indictment alleges $100M in laundered assets. The arrest and seizure of backend sync servers may have privacy implications on past mixes.

• SEC Seeks $5.3 Billion From Do Kwon and Terraform Labs.

• The Fall of LabHost: Law Enforcement Shuts Down Phishing Service Provider.

• Jebara Igbara, AKA 'Jay Mazini,' Sentenced to 7 Years in Prison for Crypto-Related Fraud.

Policy

• Two SEC Lawyers Resign After Agency Censured for Abuse of Power in Crypto Case.

• New powers to seize cryptoassets used by criminals go live by UK’s NCA.

Phishing

• Burnout: Inferno Drainer’s multimillion-dollar scam scheme detailed by Group-IB.

• Tinkering around Inferno Drainer by HarukaMa.

• Lazarus Linkedin malware analysis by 23pds (SlowMist).

• Unveiling a New Scam: Malicious Modification of RPC Node Links to Steal Assets by SlowMist.

• Reports of watering hole campaign targeting vulnerable WordPress sites by SlowMist.

• Developers recover $200,000 in crypto from compromised wallet.

• OKX Web3 On-Chain Anti-Phishing Security Trading Guide.

• My traumatic Apple ID hack showed pitfalls of centralized identity by Amro Shihadah.

Scams

• “Buy Toncoin and invite your friends”: how scammers promise big earnings with cryptocurrency by Kaspersky.

Malware

• GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining by Avast.

Contests

• Codehawks - First Flights challenges.

Media

• The Block - Euler co-founder reflects on $195m hack and how DeFi protocols are becoming more robust.

Research

• Optimism Fraud Proof vulnerability reports by Offchain Labs (Arbitrum).

• Manual vs AI Smart Contract Auditors : Winning Journey by Nirlin Security.

• SEALing Crypto Security: A Web3 Information Sharing and Analysis Center (ISAC) by Kelsie Nabben.

• Automated Attack Synthesis for Constant Product Market Makers.

• Demystifying Invariant Effectiveness for Securing Smart Contracts.

• FIRST: FrontrunnIng Resilient Smart ConTracts.

• Byzantine Attacks Exploiting Penalties in Ethereum PoS.

• Large Language Models for Blockchain Security: A Systematic Literature Review.

Tools

• Create Chimera App - Foundry template allows you to bootstrap a fuzz testing suite using a scaffolding provided by the Recon tool by Recon-Fuzz. It extends the default Foundry template used when running forge init to include example property tests using assertion tests and boolean property tests supported by Echidna and Medusa.

• Immunefi-terminal - The only crypto bug bounty terminal you'll ever need by shortdoom.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content