Greetings!
More than $5.2M were stolen this week across 5 incidents. Let’s looks at some of the more notable case studies.
We continue seeing the trend noted last week where the majority of losses are no longer caused by smart contract exploits. Loopring is one such example where a flaw in their 2FA recovery service was used to drain multiple wallets with losses exceeding $5M. The incident affected wallets that configured a single recovery wallet, namely Loopring’s official guardian account. A few lessons:
Wallet providers must provide secure configuration by default. We can’t assume users to do the right thing or fully understand risk.
Single points of failure like an official Guardian account create outsized risk and attract bad actors.
Web2 security controls like 2FA can and will fail.
See Vitalik’s recent post on Reddit How I think about choosing guardians for multisig and social recovery wallets for more tips on secure implementation.
Mandiant published a threat report on UNC5537 responsible for mass compromise of Snowflake targets. While it’s not directly crypto related, the incident contains a lot of critical lessons which you may find useful when securing web2 infrastructure and 3rd party dependencies:
The incident was caused by compromised credentials without 2FA enabled.
Credentials were stolen with using a variety of infostealer malware families indicating multiple campaigns.
Compromised credentials were not rotated or updated in years.
No access restrictions from where one could access sensitive data.
Initial infostealer infection occurred on contractor machines used for multiple clients, gaming, and other personal use.
With the above in mind, at the very least buy your employees and contractors a $25 YubiKey. You may also consider a dedicated laptop to access the most critical systems holding billions from a restricted environment. You will not go bankrupt from buying a laptop to prevent losing private keys when a contractor decides to pirate games on their shared dev box. Remember we are in the industry where millions are stolen weekly, so your security controls should reflect that.
The premium version of the newsletter includes additional research papers, PoCs, indicators, and other data on the aforementioned compromises as well as two STM incidents, YYS and br1an.eth hacks.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Oh and be sure to check out the media section for an excellent selection of web3 security and privacy related talks. Let’s dive into the news!
News
SEAL Team partners with Security Research Legal Defense Funds to provide financial assistance to whitehats in legal trouble.
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion. Ticketmaster, Lending Tree, Pure Storage, and others have already come forward as one of 165 victims.
Norwegian government freezes and returns $5.7 million connected to Ronin hack.
Another privacy tool company, Nocturne, is shutting down.
Crime
Former FTX Executive Ryan Salame Sentenced To 90 Months In Prison.
Pair launches civil suit against Hong Kong crypto exchange JPEX to recover HK$1.85 million.
Feds seize domains linked to crypto investment scam preying on New York’s Russian diaspora.
Feds Charge UK Nationals With $3 Million ‘Evolved Apes’ Ethereum NFT Scam.
Phishing
Signature phishing is the biggest problem in our industry based on SEAL 911 tickets by pcaversaccio.
Malware
‘Operation Endgame’ Hits Malware Delivery Platforms by Brian Krebs. Be sure to check out cool videos on the project’s official site.
Unraveling How a Malicious Extension Stole a Million Dollars by SlowMist.
Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers by Trend Micro.
Media
ETH Prague 2024
Security at the sequencer level / Martin Derka.
Forensics in Web3: How and When / Luciano Ciattaglia.
Enhancing vulnerability detectors with LLM / Jan Kalivoda.
Wake Framework: All-in-One Toolkit for Solidity Development / Michal Převrátil.
Solidity Debugging meets Formal Methods / Raoul Schaffranek.
Solidity VS Code extensions for development & security / Stepan Sonsky.
Fullstack DApp Security: Going Beyond Smart Contract Audits / Philip Paetz.
The Imperative of Security in dApps: Protecting the Decentralized Ecosystem / Stephen Ajayi.
Mass surveillance, digital freedom and cyber security / Martin Warnke, Hyun-Joo Lim.
Will your Oracle hug you or rug you? / Paweł Zaremba.
Usability vs Security in storing your crypto / Adam Schinzel.
Build and secure your use of a dApp with hardware device / Akram El Milligy.
Zero Knowledge privacy in action / Lauri Peltonen.
A new paradigm in privacy: The Fundamentals of Homomorphic Encryption / Diogo.
ETHDam 2024 - entire conference dedicated to on-chain privacy.
What is security in Web3 - Dan (Sherlock).
See (no) evil: privacy and compliance on-chain - Philip Gradwell (Chainalysis).
Auditors & Bounty Hunters: who should secure your bags? - Panel.
Crypto Scams, keeping people safe & alpha with onchain data! - Panel.
In Crypto we don’t trust: how protocols approach security - Panel.
Slither: introduction to custom analysis - Josselin Feist (Trail of Bits).
Effective Product Security: Lessons from bug bounties and audits - CvH (Polygon).
Research
100x Hackers, and How to Become One by Mitchell Amador.
Compiler Fingerprinting in EVM Bytecode by Jonathan Becker.
Understanding ABI encoding for function calls by RareSkills.
Securing Smart Contracts with Formal Verification Tools by AuditWizard.
Unveiling Hidden Threats: Symbolic Execution for Smart Contract Security by Olympix.
Running Halmos by Default for Library Testing by Antonio Viggiano.
The Backbone of Cybersecurity: Hardware Security Modules by David Schmid.
Stealing Trust: Unveiling Vulnerabilities in Web3 Authentication.
It Takes Two: A Peer-Prediction Solution for Blockchain Verifier's Dilemma.
Tools
Trident - Rust-based framework to Fuzz and Integration test Solana programs to help you ship secure code by Ackee.
TracEVM - a tool to track the values and addresses of slots using partial symbolic execution.
MEV Scanner - check how much a wallet lost to MEV.
Audit report template by spoOds.
Keycheck - Checks your repository for Ethereum private keys in the hexadecimal format. Meant to be used in a pre-commit hook.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.