Greetings!

Only three hacks this week, but still causing the same $3M in losses. It’s been a slower week where we can finally catch up on fantastic research and tools, but first a quick note from our sponsor Cyfrin!

Cyfrin is dedicated to helping scale smart contract security. Protocols looking for a private audit should reach out, but additionally, the team works on tools and platforms to scale security throughout the industry. 

Cyfrin Updraft has the most watched smart contract development and security curriculum on earth. Cyfrin CodeHawks is the competitive audit platform for web3, for everyone from the started security researchers to the top bug hunting masters. Solodit is the audit report aggregator to help you learn the top attack vectors being reported today. Aderyn is the open-sourced rust-based static analyzer to help automatically detect bugs in your solidity codebase. 

Let’s start with Pike Finance which we first mentioned last week. The projects was compromised yet again. Some really concerning observations from the two hacks:

• The initial April 26th vulnerability was identified by an auditor, which according to the project they did not patch it in a “timely manner”. Audits normally happen prior to going live so the issue was likely identified prior to the launch two days earlier. Why did the contract go live with a known critical bug? Contracts with a known critical vulnerability should not go live or be paused immediately upon learning of one until the patch is developed, tested, and applied.

• The second April 30th exploit happened 6 minutes after the previously upgraded smart contract was exploited. The upgrade overwrote the initialized flag and allowed attacker to take ownership and steal all assets. It takes time respond to an incident, develop an upgrade and get it properly audited. Normally projects take weeks to months to relaunch. However, Pike Finance upgraded just days after the hack. Take time to properly test and audit all changes and upgrades to your smart contracts especially following a compromise.

Almost $2M could have been saved if not for repeatedly rushed actions by the project in launching and later mitigating their smart contracts.

Speaking of easily preventable hacks, GNUS token lost $1.27M due private key leak that was obtained by bad actors in a separate Discord hack. Discord! Why the heck were the private keys shared over such an insecure medium?

Address poisoning exploitation reached new levels after record breaking $72M were stolen. Bad actors continue evolving their tactics from the early zero transfer phishing to now simply dusting their victims with similar looking addresses. Luckily most of the stolen assets were soon returned thanks to detailed investigation by SlowMist. However, something tells me that the bad actor will continue the scheme for the foreseeable future.

PSA: Be wary of malicious wallet addresses injected into blockchain explorers or wallet transaction logs. Independently verify all addresses before sending.

The premium version of the newsletter includes additional coverage, PoCs, indicators for the latest Pike Finance, GNUS, and Yield protocol hacks.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Oh and be sure to check out ZachXBT’s detailed write up on Lazarus money laundering techniques in the Research section below. Let’s dive into the news!