Greetings!

This week features concerning news about hardware wallets. Ledger is planning to add a feature which can extract private keys great for backups and government subpoenas while security researchers are dissecting circulating maliciously backdoored Trezor wallets. If that didn’t get you worried, then you should immediately upgrade your KeePass software because a public PoC was published to extract your master password from memory.

The one notable exploit this week involved an attack on Tornado Cash’s governance staking contract. Previous governance attacks involved either forced votes using flashloans (e.g Beanstalk) or simply submitting a malicious proposal and hoping that no one would notice. However, this exploit is the first known governance attack using a metamorphic contract or “Wild Magic” as described by Jason Carver back in 2019 to trick DAO’s governance. While the total compromised amount is only average ($3.2m stolen), the hack opens a pandora’s box for other governance protocols which should be on a lookout for any proposals that can self-destruct or otherwise modify their behavior.

Detailed indicators for the above and other incidents this week are available in the premium section below.

On the bright side, this edition features far more patched vulnerabilities and research papers than hacks which I hope you can use to strengthen your defenses.

Let’s dive into the news!

News

• Ledger Crypto Wallet Under Fire Over Seed Phrase Recovery Service. The incident raised questions about trust assumptions made on hardware wallets.

• The Secret Service says blockchain is an ‘amazing opportunity’ to track money; it also has an NFT collection.

• U.S. Sanctions Watchdog Alleges Russia-Linked Crypto Wallet Processed $5M.

• Inside The World Of Crypto Exchange Hacks.

Scams

• Discovering Scammer Networks with Machine Learning by Forta.

• Serial Phishing Scammer Uses a Mix of Laundering Techniques, Including Coin Swaps and a Mysterious OTC.

• Ongoing permit phishing attack nets bad actors $37m+ on Ethereum.

• Examining Permit Signatures: Is Phishing of Tokens Possible via Off-Chain Signatures?

• $5.9 Million Stolen By Scam as a Service Provider Called Inferno Drainer.

• Reports of a new phishing scam on Discord targeting crypto ecosystem.

• Swaprum pulled a $3m rug on Arbitrum.

Hacks

• On May 20, 2023 Tornado Cash DAO lost $3.2m as a result of a governance attack using a metamorphic proposal. Interestingly, the DAO detected one of the exploit preparation steps but failed to find the malicious proposal.

Other Incidents

• On May 19, 2023 AAVEv2 on Polygon broke WETH, WBTC, USDT, and WMATIC pools as a result of a governance proposal compatibility issues specific to the Polygon network deployment.

Vulnerabilities

• KeePass vulnerability allows attackers to access the master password. A PoC master password dumper is now publicly accessible.

• Zellic reported a critical vulnerability in all Move-based L1 including Aptos, Sui, Starcoin, and 0L. The vulnerability allowed attackers to bypass locals safety and reference verifier a critical control ensuring flash loans are paid back.

• Ethereum network patched a responsibly disclosed vulnerability which could trick a node into syncing with a malicious chain called SNaP Attack by its creators.

• Stride chain patched a vulnerability in how it interacted with untrusted IBC packets which could allow funds theft. The vulnerability was responsibly disclosed by Jump security researcher Neeraja Jayakumar.

• Critical vulnerabilities reported in Morpho Labs and a minor in AAVEv3 by StErMi.

• Kucoin patched an information leak vulnerability in their Zendesk API which included PII, session tokens, and other critical data thanks to a responsible disclosure by Corben. Kucoin paid a $5k bounty for this which sets their value for their users’ data.

• EOS patched a critical vulnerability in EOS EVM which could allow draining of the the EOS EVM contract.

• Yield Protocol disabled the protocol following a responsible disclosure of a vulnerability in their strategy contracts.

• Enzyme Finance patched a privilege check vulnerability thanks to a responsible disclosure by rootrescue.

Malware

• Case study: fake hardware cryptowallet by Kaspersky dissects a sample backdoored Trezor Model T.

• 8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency.

Contests

• Trust Chain CTF.

• Huff Puzzles by RareSkills.

• Code is Law 2 by Oren Yomtov.

Media

• Optimizing a 51% Attack with Justin Drake.

• All about Smart Contract & DApp Auditing with Oliver (Zellic).

• How to not get hacked and other security lessons learned with Riyaz Faizullabhoy and Nass Eddequiouaq (a16z).

• Smart Contract Auditing with 0xWeiss.

• yAcademy Block V Speakers:

  • Fabrizio Genovese - Economic Modeling and Soundness of Systems.

  • Zach Obront - Interview & AMA.

  • Devtooligan - Things I wish I knew before starting yAcademy.

Research

• OSWAR - Open Standard Web3 Attack Reference.

• 6 security sins of Web3 bridges by Damian Rusinek.

• Catch me if you can! Learning about edge cases of Solidity's try/catch while I explored Account Abstraction by matta.

• solc Internals Part 1: Calling Conventions by Tal.

• DeFi Lending Concepts Part 1 2 3 by Tal.

• Demystifying Solidity’s call and delegatecall functions: Understanding the Differences and Security Pitfalls by Sergio Mazariego.

• Market Manipulation vs. Oracle Exploits by Chainlink.

• How To Find XSS Vulnerabilities In NFT Marketplaces by Immunefi.

• The Notorious B.U.G. 👑 Digests January - March 2023 by OpenZeppelin.

• MistTrack Case 02: Wasabi Coinjoin Withdrawal Analysis by Slowmist.

• Velas Infinite Mint PoC by Oren Yomtov.

• Smart Contracts Audits Checklist by tamjid0x01.

• Exploring Solodit — The Smart Contract Auditor Swiss Army Knife by Johnny Time.

• Smart Contract Security by Jeffrey Scholz (RareSkills).

• List of Hardware Wallet Hacks by TheCharlatan.

• Time is Money: Strategic Timing Games in Proof-of-Stake Protocols.

• SoK: Decentralized Finance (DeFi) Attacks.

• Clockwork Finance: Automated Analysis of Economic Security in Smart Contracts.

• Tyr: Finding Consensus Failure Bugs in Blockchain System with Behaviour Divergent Model.

• Partitioning Ethereum without Eclipsing It.

• LOKI: State-Aware Fuzzing Framework for the Implementation of Blockchain Consensus Protocols.

• BlockScope: Detecting and Investigating Propagated Vulnerabilities in Forked Blockchain Projects.

Tools

• Uniswap Governance Seatbelt tools that make on-chain governance safer, including automated scripts that apply checks to live proposals to allow for better informed voting.

• Pyrometer Beta Release a tool to assist in verifying Solidity functions do what the developer thinks they do.

• Sourcegraph Smart Contract Sanctuary by tincho.

• Ziion 23.2 Release by Halborn.

• Echidna 2.2.0 Release by Crytic.

• Solodit smart contract audit report repository.

• Contract Diff Tool by x48115.

• contract-diff.xyz helps to find differences in contract forks using SimHashes.

• Online ABI Encoder by HashEx.

• Function Selector Miner by Kaden Zipfel.

• Nocturne: Your Gateway to Private Transactions.

• Solidity Sandbox by maurelian.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content

Indicators

OFAC

Ethereum: 0x38735f03b30fbc022ddd06abed01f0ca823c6a94

HitBTC Phishing

BTC: 3BvQyAZwBXxk7rEStd6burfQgQ5AD2FFsq
Tron: TCV1cN2iRG1F1NHwr3GnujhNkEbBoXdZs8
Ethereum: 0xB59299A0F15a282Bfc671BC0c2231184292C01b1
Ethereum: 0xdc961cF2F71dd0ab4f83eA294dBfEF1970ae15c6