BlockThreat - Week 2, 2024
SEC | CoinGecko | Wise Lending | bit24 | Solana
Mass X account compromises continue with SEC getting hacked resulting in volatile market movements. The reported attack vector was lack of 2FA and a sim-swapped phone number associated with the account. If only they followed the Twitter Security Self-Audit by the good folks at Security Alliance. Did you?
Solana network is experiencing a rise in drainer and airdrop phishing attacks all too familiar in the EVM world.
Only one notable and highly sophisticated DeFi compromise targeting Wise Lending lending protocol.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
A rare, relatively quiet week. Hope you can catch up on all of the excellent research articles in this week’s edition. Oh and be sure to check out an excellent talk on bug bounty programs and security researchers in traditional security to see where we are going as cryptocurrency becomes an integrated part of world’s financial systems.
Let’s dive into the news!
Curta CTF Puzzle by @ret2jazzy on Base - January 15th, 2024.
TrustSec team member HE1M and his spouse were caught cheating on the zkSync contest. Insider threat happens and HE1M was swiftly let go following an internal investigation. Are you on the lookout for bad actors in your midst?
Web3 Hack Post-Mortem 2023 by Chainlight. Password: duediligence.
Here’s Some Bitcoin: Oh, and You’ve Been Served! by Brian Krebs. A creative way to serve summons in OP RETURN, although unlikely to succeed.
Hacking AICoincom phishing operation by Chaofan Shou.
Over $4 Million Stolen By Multiple Solana Wallet Drainers by Scam Sniffer.
Apple iCloud: Doing this 1 thing can help stop hacks by Matt Gleason (a16z Crypto).
Google Security Self-Audit by Security Alliance.
Info-stealers can steal cookies for permanent access to your Google account by Pieter Arntz (Malwarebytes Labs).
$32M Stolen: Over 1,300 Fake Tokens Rugged investigation by Pablo sabbatella (Blockfence).
Narwhal Incident Report by CertiK.
Apache Applications Targeted by Stealthy Attacker by Nitzan Yaakov, Assaf Morag (Aqua).
You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance by Stiv Kupchik (Akamai).
Zero to Hero Money Hacking Roadmap with Stephen Sims. Bug bounty programs, exploit markets, security researchers and other lessons from the traditional security world that has been doing this for decades.
Immunefi <> Zellic <> Scroll on cybersec 2024 trends X Space by Immunefi.
Video-Based Cryptanalysis: Recovering Cryptographic Keys from Device Using Video of Power LED by Etay Iluz , Ben Nassi (Ben-Gurion University of the Negev)
MEV Crash Course by Uttam Singh.
War & Peace: Behind the Scenes of Euler’s $240M Exploit Recovery by Michael Bentley (Euler).
Permission denied - The story of an EIP that sinned by Trust Security.
Astar Network Integer Truncation Error Bugfix Review by Immunefi.
Security Review Readiness Guide by Spearbit.
Solana dApp Security Roadmap by Rektoff.
What Are Elliptic Curve Pairings? by Malte Leip (Zellic).
Wasmcov - Automated coverage analysis of WASM executables on embedded, blockchain, and other constrained environments.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.