Dear readers,

Unfortunately peace and quiet did not last long. More than $150M were stolen from various projects this week including a really rare virtual machine exploit in Elrond that was used to steal $113M from Maiar DEX. Many of these exploits should not have happened at all like Wintermute’s wallet hijacking caused by the team forgetting to deploy a contract or a critical Osmosis vulnerability simply posted on Reddit for all to see and exploit. Luckily a good portion of stolen assets from these and other hacks was recovered, but luck is not a very reliable security control.

In this week’s news we have witness the first of a kind restraining order served via NFT, Reuters published a damning article about Binance, while Do Kwon appears to have liquidated billions in assets prior to Luna’s crash.

As we get deeper into the bear market, security often suffers as projects take shortcuts to survive by foregoing audits, taking on more risks or just becoming complacent. Unfortunately this will only accelerate their demise while adding to the already insane $1.8B in losses this year. Stay resilient and stay safe!

News

• IRA Financial Trust sues Gemini over $36M theft of Bitcoin, Ethereum.

• How crypto giant Binance became a hub for hackers, fraudsters and drug traffickers report alleges laundering of $2.35B in illicit funds to which Binance responded with a blog post detailing the exchange with Reuters reporters.

• How Cyber Criminals Target Cryptocurrency report.

• Meet the Vigilantes Who Hack Millions in Crypto to Save It From Thieves.

• LCX exchange hacker served with restraining order via NFT. Almost $8M were stolen in the compromise earlier this year.

• Crypto Exchanges Delist Litecoin Over Privacy Feature Concerns.

• FTX exposes email addresses of ECP investors.

Scams

• Reports of Do Kwon cashing out $2.7B before the Luna crash.

• El Universal twitter account hacked to spread an NFT scam.

• Yuga Labs co-founder prewarns possible attack, claims Twitter insider involved.

Hacks

• On June 5, 2022 Elrond blockchain virtual machine was exploited allowing attackers control over arbitrary contracts. Attackers used the flaw to drain $113M from Maiar DEX which was mostly recovered by the dev team.

• On June 6, 2022 ApolloX lost $2.1M as a result of a signature verification vulnerability.

• On June 7, 2022 Gym Network lost $2.1M when insufficient function access controls were exploited to create fake deposits.

• On June 7, 2022 Equalizer Finance lost $72K in an exploit targeting its flash loan services.

• On June 8, 2022 Osmosis lost $5m after a bug in its reward calculation logic was exploited by various following a Reddit post disclosing the bug.

• On June 9, 2022 Wintermute lost $27.6M airdropped to them by Optimism by failing to deploy a contract to retrieve those funds. An attacker was able to claim dormant assets by managing to deploy the contract at that address which they controlled. Luckily the attacker returned most of the stolen funds and claimed a bounty.

• On June 10, 2022 Treasure Swap lost $1.1M due to a missing k-value check.

Vulnerabilities

• OpenSea fixed a critical vulnerability in Wyvern Protocol which could allow theft of WETH from users’ wallets thanks to a bug report by Gus.

• Electrum Wallet and its forks fixed a url injection vulnerability which could allow leaking of SMB tokens thanks to a responsible disclosure by Frank Davidson.

• Sense Finance patched a critical vulnerability that could allow oracle price manipulation thanks to a responsible disclosure by Violet Vienhage.

• Siren Markets patched a block stuffing vulnerability thanks to a report by Joran Honig.

• Aurora fixed an infinite spend bug thanks to a responsible disclosure by pwning.eth.

• Solana patched an rBPF bug that could have caused a network split after it was responsibly disclosed by the BlockSec team.

Malware

• How SeaFlower 藏海花 installs backdoors in iOS/Android web3 wallets to steal your seed phrase by Confiant.

• Poisoned CCleaner search results spread crypto and information-stealing malware.

• Crypto-Miners Leveraging Atlassian Zero-Day Vulnerability.

Contests

• New challenge available on Damn Vulnerable DeFi.

Media

• Crypto Vuln Cornucopia - From the archives of Team Kairos - Eric Michaud - OTC June 7th 2022.

Research

• Smart Contract Security: A Simple Checklist for Web3 Development.

• Trader Joe’s Exploited Fishbowl and Coverup.

• MEV Memoirs: Into the Arena - Chapter 1, Part 2.

• A Flash(bot) in the Pan: Measuring Maximal Extractable Value in Private Pools.

• MEV: how dark is the forest?

• More EVM Puzzles Solutions Part 3 by patrickd.

• Cooperation among an anonymous group protected Bitcoin during failures of decentralization.

Tools

• Cryptofuzz now supports Z3.

Premium Content