Greetings!
Feed Every Gorilla project got attacked twice in just two days. Could the second attack (and another ~$2M in losses) have been prevented since it used the same exploit vector? This week also featured yet another cross-chain bridge compromised, more phishing attacks (sorry Seth), and a mass NFT Discord compromise after a popular bot got hacked. Oh and be sure to check out another detailed account of a North Korean actor trying to land an inside job at a DAO.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
News
U.S. issues charges in first criminal cryptocurrency sanctions case.
Indexed Finance hacker refuses to give back his millions.
TRM Labs along with Circle, Binance, AAVE, and others launched Chainabuse, a crowdsourced aggregator of cryptocurrency scams.
Ethereum raises bug bounty to $250K ahead of merge.
Scams
Phishing scam uses Beeple’s Twitter to steal $400k in crypto and NFTs.
Actor Seth Green is on Twitter trying to reclaim a stolen Bored Ape.
Fake crypto sites lure wannabe thieves by spamming login credentials.
Elon Musk deep fakes promote new BitVex cryptocurrency scam.
North Korean scammer/hacker job application thread.
Hacks
On May 15, 2022 FEG project list $1.3M on BSC chain due to insufficient function parameter and reward manipulation vulnerabilities.
On May 16, 2022 FEG project got attacked again and lost another $1.9M using similar exploit to the above on BSC and Ethereum chains.
On May 17, 2022 Mee6 bot compromise led to post fake mint phishing messages on Discord servers of Axie Infinity, Moonbirds, and others.
On May 18, 2022 QANplatform bridge lost $650K in what appears like a signature service compromise.
On May 18, 2022 Feminist Metaverse project list $540K as a result of a reward manipulation exploit.
On May 21, 2022 bDollar lost $730K in a price manipulation exploit. Curiously the exploit was frontran by an MEV bot.
Vulnerabilities
Wormhole patched a critical uninitialized proxy vulnerability after it was responsibly disclosed by satya0x for which he received a $10M reward.
Malware
Contests
More EVM puzzles by daltyboy11.
Research
Security Analysis of DeFi: Vulnerabilities, Attacks and Advances.
A New Era of State-Backed DeFi Blackhats Is Upon Us by Immunefi.
Wait, It's All Layer Zero? by Laurence Day.
Simple Security Toolkit a collection of practical security-focused guides and checklists for smart contract development, assembled by the Nascent team.
Exploit weak PRNG in smart contract with a PoC by Halborn.
Smart Contract Vulnerability — Rollback Vulnerability by TriathonLab.
The collision of traditional security and Web3 IPFS security by Knownsec.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.