Greetings!
Busy week with 7 compromises netting more than $1.5M for bad actors. Clear attack patterns emerged this week with someone clearly specializing in one type of exploit to target as many protocols as possible. Let’s look at them more closely, but first a quick note from our sponsor Cyfrin!
Cyfrin is dedicated to helping scale smart contract security. Protocols looking for a private audit should reach out, but additionally, the team works on tools and platforms to scale security throughout the industry.
Cyfrin Updraft has the most watched smart contract development and security curriculum on earth. Cyfrin CodeHawks is the competitive audit platform for web3, for everyone from the started security researchers to the top bug hunting masters. Solodit is the audit report aggregator to help you learn the top attack vectors being reported today. Aderyn is the open-sourced rust-based static analyzer to help automatically detect bugs in your solidity codebase.
Multiple projects were exploited due to not properly protecting sensitive methods:
Perpy Finance - broken proxy deployed allowed arbitrary. $130K stolen.
Galaxy Fox - no source contract exposed internal method. $330K stolen.
Tsuru - arbitrary mint in expose onERC1155Received method. $410K stolen.
Tracing funds from Perpy and Tsuru attackers clearly shows they are the same actor which exploited two different projects using the same attack vector. That’s interesting since it shows attackers specializing in a particular exploit type.
North Korean state actors have been busy with the latest malware variants and lures for crypto developers looking for the next gig. One such campaign utilized malicious code repos hosted on Github, Gitlab, Bitbucket, and others to entice victims to download and run malware as part of the interview “challenge”. Check out Phishing and Malware sections for more details.
The premium version of the newsletter includes additional coverage, PoCs, indicators for the above mentioned protocols as well as Bloom, OSN Token, GPU, and others.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Oh and be sure to check out Mitchell Amador’s retrospective on running the first and largest crypto bug bounty program for the last three years. Let’s dive into the news!
Crime
Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator. Analysis by Brian Krebs reveals a long chain of open source breadcrumbs linking Dmitry to the LockBitSupp handle.
BTC-e Operator Alexander Vinnik Pleads Guilty to Money Laundering Conspiracy Charge.
Pair linked to crypto investor kidnapping hand themselves in.
US crypto entrepreneur arrested in Dubai alleges torture by police.
Policy
Phishing
Recruitment Trap for Blockchain Practitioners: Analysis of Suspected Lazarus (APT-Q-1) Secret Stealing Operation by QiAnXin Threat Intelligence Center (original in Chinese).
ScamSniffer April 2024 Phishing Report. Significant decrease in losses from previous month. Base chain users appear to be the preferred target.
How Phishing Websites Bypass Wallet Security Alerts: Strategies Unveiled by BlockSec.
Address Poisoning Attacks by Etherscan.
Bitcoin podcaster secretly records Coinbase scammer’s confession.
Scams
Malware
North Korean Hackers Deploy New Golang Malware 'Durian' Against Crypto Firms.
New 'Cuckoo' Persistent macOS Spyware Targeting Intel and Arm Macs.
Media
ETHDam 2024 Conference (lot’s of focus on privacy):
ChainSecurity - Matthias Egli - Reentrancy in Cancun hardfork: curious case of EIP1153.
Auditors & Bounty Hunters: who should secure your bags? Panel with Oliver Hörr from hats.finance, Gonçalo Magalhães (gmhacker) from Immunefi, Erik Arfvidson from Euler Finance, and Josselin Feist from Trail of Bits.
Sherlock - What is security in Web3 with Dan.
Privacy: Past, Present and the Post Quantum World - Dr. David Chaum.
Obscura | R. Ramirez - Privacy by Design: secure leaderboards with zk proofs on Aleo.
Navigating Privacy & Scaling Explorations. Panel Vivian Plasencia, Tyler AtHeartEngineer, Hendrik Eeckhaut, and Sam Richards.
Securing Secrets: Inside the Privacy Infrastructural Realm. Panel with GuruT from Waku, Alex Zaidelson from Secret Network, Haischel Dabian from Obscura, and Oliver Gale from Panther Protocol.
Frontiers in Privacy and Usability. Panel with Harry Roberts from Oasis, Captain McAteer from Firn Protocol, Mihai Scarlat from Ocean Protocol.
Workshop | Oliver Smith | Ask a Lawyer! Web3 Privacy Workshop.
EVM & Yul programming course. BONUS geth node implementation part I and part II by deliriusz.
Rosario’s Way - Mastering Solidity: A Deep Dive into Contracts.
Research
Preventing crypto armageddon: A Retrospective on Immunefi, 3 years later by Mitchell Amador.
Enabling a Collaborative Collective to Improve Security in Web3 by Herman Junge.
DoS via malicious p2p message in Geth <1.13.15.
DAS fork-choice attacks by EF.
TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak by Leviathan.
Tools
Betterscan is a security tool designed to parse, analyze, and display data from any EVM-based smart contracts. Developed by shortdoom.
Reth Execution Extensions. Post-execution hooks.
The go-ethereum live tracer by Marius Van Der Wijden.
Etherscan converter tools.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.