BlockThreat - Week 20, 2024
Sonne | Alex Bridge | Pump.fun | Predy | Cypher | Equalizer | TCH
Greetings!
A tough week with losses definitely on the rise. More than $40M were stolen across 9 incidents caused by a wide array of attack vectors from relatively rare signature malleability and DNS hijacking hacks to the usual private key theft and reentrancy. Let’s explore critical lessons and also some positive news from this week, but first a quick note from our sponsor Cyfrin!
Cyfrin is dedicated to helping scale smart contract security. Protocols looking for a private audit should reach out, but additionally, the team works on tools and platforms to scale security throughout the industry.
Cyfrin Updraft has the most watched smart contract development and security curriculum on earth. Cyfrin CodeHawks is the competitive audit platform for web3, for everyone from the started security researchers to the top bug hunting masters. Solodit is the audit report aggregator to help you learn the top attack vectors being reported today. Aderyn is the open-sourced rust-based static analyzer to help automatically detect bugs in your solidity codebase.
Malicious insider incidents are rare but could be devastating to projects which don’t have controls limiting negative impact of one individual. This week featured two such incidents with unique timelines and outcomes:
Pump.fun. A newly hired developer went rogue after just a few weeks due to “personal grievances” against the company’s leadership. Jarett Reginald Dunn (aka Stacc) went on a rampage to “kill Pump.fun” by abusing his access to the private key to steal $2M. He admitted guilt on X immediately after the hack. The developer has since been arrested and committed due to mental health concerns.
Cypher. Core developer “hoak” was stealing Sol for months before he was discovered. More than $300K were stolen from the redemption contract for the $1M hack last year. What followed was a law enforcement referral, a public admission of guilt, confession of gambling addiction and mental health issues.
Two lessons here:
No matter how trustworthy an employee may appear, things may change overnight especially where mental health issues are involved. It is critical that no one individual can cause existential harm to the project, assets or users. Use multi-sigs, timelocks, guardian accounts, anything that will prevent damaging unilateral action while keeping this attack vector in mind.
It is critical to have detailed knowledge of who your employees are especially where money is involved. Background checks, detailed references, identifying documents and current mailing addresses are all important in reducing the risk of insiders going rogue.
Luckily not all is bad on the frontier. This week we also witnessed two whitehat actions saving millions to victims who already suffered devastating exploits.
A stolen private key for Alex Lab’s Xlink bridge was used to make a malicious upgrade. The malicious upgrade included an unprotected withdrawal function which whitehats quickly used to steal $4.3M from the attackers on BSC chain. What’s interesting is the whitehat also negotiating a 10% bounty. A new industry is already here!
A few days later whitehats detected a Sonne Finance hack in progress abusing a well known Compound V2 empty market vulnerability. While $20M were already stolen, more than $6.5M in additional losses were prevented by depositing a small amount of tokens into the pool.
These are great examples of whitehats stepping in to not only “patch” vulnerable contracts in the midst of a hack, but also hacking bad guys themselves to return their ill gotten gains. Only in crypto can we enjoy stories like that!
Speaking of bad guys, brothers Anton and James Peraire-Bueno (aka “low carb crusader”) were arrested for a sophisticated $25M MEV-boost hack on April 2, 2023. What’s interesting is not only how these two were caught (really sloppy money laundering and googling how to do it), but just how detailed and technical is DoJ’s indictment! As was shown in the case of Avi Eisenberg and again today, law enforcement is very capable of not only understanding the technical nature of on-chain hacks, but also building strong cases to prosecute bad actors. Kudos!
The premium version of the newsletter includes additional coverage of an embarrassing TCH malleability exploit, DNS hijacking of Equalizer Finance, BlockTower Capital hack, Predy Finance reentrancy, a previously “unnoticed” $14.8M exchange hack, and others.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
News
Tornado Cash Developer Alexey Pertsev Found Guilty, Sentenced to 64 Months in Prison by Dutch Court. The decision makes future development of financial privacy tool a risky endeavor.
Parity Hacker Returns, Laundering $9M in Ethereum After 7 Years of Inactivity.
FBI seize BreachForums hacking forum used to leak stolen data.
North Korea laundered $147.5 mln in stolen crypto in March, say UN experts.
Stolen Poloniex Ether worth $53M never made it back to the exchange.
Google Chrome emergency update fixes 6th zero-day exploited in 2024.
Crime
Brothers arrested for $25 million theft in Ethereum blockchain attack. Anton Peraire-Bueno, 24 and James Pepaire-Bueno, 28 were found responsible for $25M MEV-boost hack on April 2, 2023.
US court orders forfeiture of 279 crypto accounts tied to North Korea laundering.
Ontario's 'Crypto King' arrested after Durham police's largest fraud investigation ever.
Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam.
Policy
Crypto under siege by Rekt.
IBEX Pay is suspending all services in US.
Phishing
Pink Drainer ‘steps back from the grind’ after stealing $75M from victims.
Beginner’s Guide to Web3 Security: Guide to Avoiding Fake Wallets and Private Key/Mnemonic Phrase Compromises by SlowMist.
Scams
CFTC Warns Public of ‘Money Mule’ Scams Involving Crypto Disguised As Work-From-Home Opportunities.
Give and Take: An End-To-End Investigation of Giveaway Scam Conversion Rates.
Malware
Media
Invariant Driven Development - Build a CDP system using Invariants as Safety Nets by Alex the Entreprenerd.
Glider - The Most Powerful Web3 Bug Bounty Tool Ever by Owen Thurm.
Research
The Graph Rounding Error Bugfix Review by Immunefi.
Breaking Verifiable Delay Functions in the Random Oracle Model.
Wormhole access control vulnerability responsibly disclosed by CertiK. The vulnerability could be abused for infinite mint through spoofed events.
Competitive audit drama between trust__90 and Sherlock.
The Art of Judging Bug Bounties by Or Cyngiser (Trust Security).
The near and mid-term future of improving the Ethereum network's permissionlessness and decentralization by Vitalik Buterin.
PoW Security-Latency under Random Delays and the Effect of Transaction Fees.
Large Language Models for Blockchain Security: A Systematic Literature Review.
Temporarily Restricting Solidity Smart Contract Interactions.
Why Passkey Implementation is 100x Harder Than You Think – Misconceptions, Pitfalls and Unknown Unknowns by Corbado.
Tools
SOLP: A Stand-alone Solidity Analysis Library by Zellic. The library is pretty powerful capable of creating stable ASTs great for code analysis.
Writing Cross-Chain PoC Using Pigeon by Sujith Somraaj.
Foundry adds console input for more interactive testing.
Ponder adds call trace indexing for smart contracts.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.