Greetings!

This week, hundreds of millions of dollars worth of assets were stolen across seven incidents. We could do deep dives into a couple of very interesting exploits this week. However, it’s time to look at data and reassess how our industry has already lost more than $1B, with almost a third of losses occurring this month!

On the CeFi side, the massive $305M DMM exchange compromise sets us on track to exceed the $200M Mixin and $130M Poloniex hacks from last year So far, hot wallet compromises netted $353M to bad actors in 2024. Nation state and financial actors will continue using traditional exploitation techniques to target CeFi infrastructure. Techniques such as phishing, social engineering, credential stealing malware, and others are mostly well understood by these entities which have had more than a decade to either build their defenses or join the exchange graveyard.

The trend that alarms me the most is on the DeFi side. Here are the Top 10 exploitation vectors from first half of 2023:

As I discussed during my talk at last year’s DeFi Security Summit, most of the root causes behind the largest hacks were related to vulnerabilities in smart contracts and a lack of secure coding practices. Hacks due to price oracle or reward manipulation, weak function access controls, and various logic errors dominated the threat landscape. Operational security issues such as private key and governance management were a concern, but resulted in only about 1/4 of all losses.

Fast forward to 2024, and the threat landscape has changed significantly:

On the positive side, price oracle and reward manipulation exploits are no longer resulting in as many losses. They were replaced by new smart contract exploitation vectors such as function parameter injection, rounding errors, and the embarrassing insufficient function access control weaknesses. However, it is the operation security related compromises such as stolen private keys, insider threat, governance, and back-end compromises that are now dominating the Top 10 DeFi Attack Vectors:

Secret management, insider threat, third party dependencies, cloud infrastructure, and others are all traditional security issues. We have been so focused on smart contract vulnerabilities that we have unfortunately neglected the rest of the threats.

Consider this an early warning. If you have been paying attention over the past few editions we already started covering interesting case studies and noting important lessons that go beyond smart contract vulnerabilities. Expect to see more coverage on insider threat, key management, infra security, threat actor profiles, DeFi security program building and related topics in upcoming editions.

However, don’t be too hard on yourselves. It’s also a sign of maturity. The ever evolving field of DeFi security is graduating from the initial code security/audit model into new domains such as security program management, security operations, threat intelligence, governance, insider threat, risk, compliance, and other frontiers. So whether you are just joining the field or a seasoned veteran, things are about to get very exciting.

As we celebrate the much overdue 5 year anniversary of the newsletter, I invite you to join me in this next chapter where we get to learn, explore, build, and hopefully make this industry a bit safer together. It’s worth it.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Oh and be sure to check out Joe Grand’s latest hardware wallet exploit in the Media section. Let’s dive into the news!

News

• FBI warns of fake remote work ads used for cryptocurrency fraud.

• Crypto Losses in May 2024 by Immunefi.

Crime

• Europol raids money mules who laundered $10M for crypto scammers.

• Indian crypto exchange hackers selling Ticketmaster data for $500K.

• How a money launderer allegedly used Deltec, Binance, and Tether.

• Ukraine police raid criminal crypto call center ring.

• Russian companies using USDT to evade UK and US sanctions, report.

• Two Estonian Nationals Extradited from Estonia to the United States for $575M Cryptocurrency Fraud and Money Laundering Scheme.

• Former FTX Executive Ryan Salame Sentenced To 90 Months In Prison.

• Whistleblowers, Yachts and Lawyers: FTX Examiner’s Key Takeaways.

Phishing

• Comprehensive Analysis of Phishing Attacks on Blockchain.

• Prevention against Crypto Phishing Attacks.

• Victim who lost $7M in Ethereum re-staking exploit gets funds back.

• Scammers Steal $2 Million from OKX User Account Using AI.

• Caitlyn Jenner’s X account promotes memecoin amid hack concerns.

• Microsoft India’s X account hijacked in Roaring Kitty crypto scam.

• Frax Finance X account hacked, CEO suspects ‘inside job’.

• The Sandbox’s team member X account hacked.

• Hackers exploit Chrome plugin to steal millions from Binance accounts.

Scams

• Blockchain Sleuth Zackxbt Called out Floyd Mayweather on Token Scams.

Malware

• Wolf in Sheep’s Clothing - Fake Chrome Extension Theft Analysis by SlowMist.

• Is Your Computer Part of ‘The Largest Botnet Ever?’ by Brian Krebs.

• RedTail Crypto-Mining Malware Exploiting Palo Alto Networks Firewall Vulnerability.

Media

• I hacked time to recover $3 million from a Bitcoin software wallet by Joe Grand. Also a corresponding article by Kim Zetter (Wired).

• Blockchain Security Series 8: Rosco Kalis (Founder @ Revoke cash).

• OpenSense - Mastering EVM: Calldata, Assembly Returns, and More with Ret2Basic.eth.

Research

• Solidity Inline Assembly Vulnerabilities by Dacian.

• All Your Tokens are Belong to Us: Demystifying Address Verification Vulnerabilities in Solidity Smart Contracts.

• Identifying Red Flags in Smart Contracts: A Guide to Spot Security ....

• Nirvana Finance founder recounts the ‘worst day’ of his life.

• Remeasuring the Arbitrage and Sandwich Attacks of Maximal Extractable Value in Ethereum.

• Eclipse Attack Detection on a Blockchain Network as a Non-Parametric Change Detection Problem.

• GasTrace: Detecting Sandwich Attack Malicious Accounts in Ethereum.

• The Kosmosis Use-Case of Crypto Rug Pull Detection and Prevention.

Tools

• devcontainer by The Red Guild focused on web3 and security.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content