Greetings!

This week more than $8.5m were stolen from various DeFi projects on BSC, Arbitrum, and Polygon chains. Price oracle and reward manipulation continue being top attack vectors. A major scam have finally exited with $31.6m while FBI is warning job applicants to be wary of accidentally joining a phishing farm.

Detailed indicators for the above and other incidents this week are available in the premium section below.

Some truly fascinating vulnerabilities were patched thanks to responsible disclosures in several major projects such as KyberSwap, Celer, Polygon zkEVM, and others. It’s great news on the one hand; however, but it teaches us that even the most audited code is never bug free.

This week’s edition also features the latest and greatest in blockchain security research, so I hope you enjoy some downtime by learning how to find vulnerabilities before the bad actors do. Let’s dive into the news!

News

• Treasury Targets DPRK Malicious Cyber and Illicit IT Worker Activities.

• Confidential Report Flags Bitfinex Security Lapses in Huge 2016 Hack.

• Founder of crypto exchange BTC-e eyes prisoner swap with WSJ journalist.

• Tornado Cash DAO passes attacker's proposal to hand back control.

• Crypto hacks down 70% in Q1 2023 by TRM Labs.

Scams

• Crypto phishing service Inferno Drainer defrauds thousands of victims.

• Twitter User Self-incriminates In BAYC NFT Theft.

• Reports of increased spear-phishing attacks using Google Docs by Tayvano.

• The FBI Warns of False Job Advertisements Linked to Labor Trafficking at Scam Compounds.

• Interview With a Crypto Scam Investment Spammer by Brian Krebs.

• The Sandbox founder’s Twitter compromised and used for an airdrop scam.

• Fintoch exit scammed with $31.6m by ZachXBT.

Hacks

• On May 22, 2023 LunaFi lost $35k in a reward manipulation exploit.

• On May 23, 2023 CS Token lost $714k in a price oracle manipulation exploit.

• On May 23, 2023 Local Traders lost $120k due to insufficient function access controls.

• On May 24, 2023 GPT Token lost $155k in a reward manipulation exploit.

• On May 26, 2023 Patricia exchange announced theft of bitcoin. No additional details are available about the compromise.

• On May 28, 2023 Jimbos Protocol lost $7.5m in a price oracle manipulation exploit.

Other Incidents

• Multichain pledges to compensate users after 'force majeure' incident.

Vulnerabilities

• Public transfer vulnerability of the Tether Gold smart contract by BlockSec.

• Saving $100M at risk in KyberSwap Elastic by 100 Proof.

• Polygon patched a critical vulnerability in zkEVM which breaks L2 migration thanks to a responsible disclosure by iczc.

• Election Fraud? Double Voting in Celer’s State Guardian Network by Felix Wilhelm.

• Aleo patched an inflation and chain halting bugs thanks to responsible disclosure by Federico LambdaClass.

• Crypto Security Firm Unciphered Claims Ability to Physically Hack Trezor T Wallet.

Malware

• New Info Stealer Bandit Stealer Targets Browsers, Wallets by TrendMicro.

• Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor by Permiso.

Contests

• Trust Chain CTF.

Media

• Yul & Memory Intro | Yul Exploit! by Owen Thurm.

• DEF CON 30 - Thomas Roth , Solana - JIT - Lessons from fuzzing a smart contract compiler.

Research

• Deploy Different Contracts at the Same Address.

• Exploiting Precision Loss via Fuzz Testing by Dacian.

• The Ultimate Guide To Reentrancy by Immunefi.

• Why DeFi is Broken and How to Fix It, Pt 1: Oracle-Free Protocols by Dan Elitzer.

• Automated Market Making and Arbitrage Profits in the Presence of Fees.

• Towards Automated Security Analysis of Smart Contracts based on Execution Property Graph.

• Towards Understanding Crypto Money Laundering in Web3 Through the Lenses of Ethereum Heists.

• Removal of SELFDESTRUCT - An Impact Study on EIP-4758 & EIP-6780 by Dedaub.

• The EVM Handbook by noxx3xxon.

• Solidity Attack Vectors Compilation by 0xprinc.

• Multichain Auditor - Observations and tips for auditing protocols on multiple chains by 0xJuancito.

• Holy Tips - A Collection of Notes, Checklists, Writeups on Bug Bounty Hunting and Web Application Security.

• Solidity compiler metadata analysis thread by RareSkills.

Tools

• Cicada is a private on-chain voting protocol based on homomorphic time-lock puzzles.

• ChaosNet - testnet with autonomous actors by ApeWorX.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content