Greetings!

Over $260 million was stolen across five separate incidents this week, with the bulk of the losses stemming from a single ecosystem-wide compromise on the Sui blockchain.

But before we dive into the details of that hack, a quick word from this week’s sponsor — Almanax. It’s a critical tool for any smart contract developer, designed to help you avoid becoming yet another statistic in the relentless wave of DeFi exploits.

Almanax is an AI security engineer designed to help security teams prevent hacks. It plugs into CI/CD pipelines to identify security issues in every commit with LLMs. It also triages alerts from static analyzers and dependency checks, suppressing false positives and surfacing exploitable issues in real time—including hidden backdoors in third‑party packages.

Scan your codebase for free with Almanax at app.almanax.ai.

The recent $260M+ exploit of Cetus Protocol on the Sui chain is a reminder of the catastrophic bugs that may appear in reimplementations of critical code while porting from a different language or chain. Much like the infamous Curve Finance hack, which resulted from an incorrect implementation of a reentrancy check in certain versions of the Vyper compiler, the Cetus incident demonstrates that even thoroughly audited code can be hacked if the underlying library code is flawed.

At the core of the Cetus compromise was a bug in Sui’s Move compiler implementation of the checked_shlw(u256) function. This function was intended to prevent overflow during left-shift operations, but it was implemented with a constant that was too large, rendering the check ineffective.

This subtle error enabled an attacker to mint pool liquidity with negligible input, depositing a single token and then draining the pool by withdrawing the full value. The vulnerability went undetected in multiple audits by reputable firms likely because the affected library math code was out of scope or assumed to be safe.

In response to the exploit, Sui validators acted swiftly, freezing the majority of the stolen funds by censoring all transactions from the attacker’s addresses. Simultaneously, a governance proposal was introduced and approved to issue two special transactions that recovered funds from two of the attacker-controlled wallets. This coordinated, chain-wide intervention is now a recurring pattern in blockchain crises—a centralized remedy in systems designed to be decentralized.

On a related note, make sure to check out Recon’s testing suite — especially their invariant checks, which would have likely caught this exploit before it happened.

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back. Use promo code BLOCKTHREAT for a 5k discount on your first engagement.

See our portfolio: https://getrecon.xyz/blockthreat

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Let’s dive into the news!

News

• Coinbase breach hit almost 70k users. Interestingly Coinbase hackers decided to troll ZachXBT onchain after $42.5M THORChain swap. It's a bold strategy, Cotton. Let's see if it plays out for them.

Crime

• Crypto Trader’s Convictions Vacated in Mango Markets Fraud Case. Commodities fraud, commodities manipulation, and wire fraud convictions by a jury trial were dismissed by the judge because prosecution failed to prove fraudulent or manipulative conduct. The ruling essentially reaffirms the “code is law” defense recently adopted by a court in France. A misguided ruling by an ill-informed judge that undermines safety of an entire industry.

• Australian Police Seize Hacker’s Bitcoin, Mansion and Luxury Car. The “French cryptocurrency exchange” hack likely refers to the 2013 hack of Bitcoin Central where a few hundred BTC has been stolen.

• Crypto Investor Charged With Kidnapping and Torturing Man for Weeks. A wild story to steal crypto from an Italian national involving a group of crypto bros and an actress.

• A Crypto Billionaire Who Feared Arrest in the U.S. Returns for Dinner With Trump. Justin Sun received a Trump branded watch at the dinner.

• American tourist claims $123K in bitcoin and XRP stolen in fake Uber ‘Devil’s Breath’ attack in London.

• Europol Busts 'Hawala Banking' Network Cashing Crypto for Criminals.

• Justice Department Seizes Domains Behind Major Information-Stealing Malware Operation. The action disrupts operation of LummaC2 crypto and banking credential stealer.

• Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme. More than $24M in crypto were ceized from Rustam Rafailevich Gallyamov, a resident of Moscow, Russia.

• Feds charge Amalgam founder with stealing $1M via ‘sham’ blockchain.

Phishing

• “Customer Support” in the Dark Forest: Social Engineering Scams Target Coinbase Users by SlowMist.

• Demystifying Phishing Contracts on Ethereum and How to Avoid Them by BlockSec Team.

Scams

• ‘Hawk Tuah’ girl says FBI, SEC cleared her of legal wrongdoing in memecoin fiasco.

• Road to Nowhere by Rekt. The slow rug pull of Chainge Finance.

Malware

• Destructive malware available in NPM repo went unnoticed for 2 years.

• Dero miner zombies biting through Docker APIs to build a cryptojacking horde by Kaspersky.

• “Anti-Ledger” malware: The battle for Ledger Live seed phrases by Moonlock.

• Chihuahua Stealer Malware Targets Browser and Wallet Data by Picus Security.

• Bitcoin stealer malware found in official printer drivers. Attackers already stole more than 9 BTC.

Media

• bountyhunt3rz - Episode 14 - bytes032.

• OpenSense - Success is for those who deserve it with Julien Klepatch.

Contests

• Bug Bounty Web3 - Daily Challenges by Thomas EDET.

Research

• Halting Cross-chain: Axelar Network Vulnerability Disclosure by Marco Nunes.

• How memory works under the hood in the EVM and how this knowledge led me to recently discover a critical vulnerability by kaden.eth.

• How EIP-7702 Transforms Account Security and Functionality by Three Sigma.

• The Hidden Threats of Web2 Vulnerabilities in Web3 Systems by Mujtaba Raza (Blockapex).

• Deep Dive into DeFi Derivatives by Viktor Yurov (MixBytes).

• Let's talk LLMs for vulnerability research by P.M.

• Understanding Perpetual Derivatives Protocols: A Primer for Web3 Security by QuillAudits.

• Stablecoin intro - What are stablecoins and why is the context important for a security researcher by Delvir0.

• Model Checking the Security of the Lightning Network.

• Adaptive Plan-Execute Framework for Smart Contract Security Auditing.

• An Empirical Analysis of EOS Blockchain: Architecture, Contract, and Security.

• Adaptive Plan-Execute Framework for Smart Contract Security Auditing.

• Timestamp Manipulation: Timestamp-based Nakamoto-style Blockchains are Vulnerable.

Tools

• Revela Move decompiler by Verichains. Decompiler for the Move smart contract language used on Aptos and Sui chains.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content

The content presented below is intended for personal, non-commercial use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.

Hacks