BlockThreat - Week 24, 2023
ZachXBT | Sleepdropping | FPG | Hashflow | Sturdy | Keep3r | Sui
This week brought concerning news of a lawsuit targeting one of the respected figures in our industry, ZachXBT. As Zach described it, this case resembles David vs Goliath, with the plaintiff, Machi Big Brother, wielding significant financial resources to advance their agenda while putting one of the few industry’s good actors at risk.
Speaking of malicious actors, the Euler attacker seems determined to stay in the spotlight. First, they revealed their location, followed by their Twitter handle and name. Regardless of any deals made with Euler, it seems they are eager to have their day in court shortly after the conclusion of the Eisenberg case.
There were nine notable compromises resulting in nearly $23 million in losses. The majority of these losses stemmed from the hack of Floating Point Group (FPG), a centralized crypto prime broker. The Hashflow hack was particularly intriguing, with the attacker stealing $600k and setting up a contract where users could recover their stolen assets with an optional donation. Hopefully, this doesn't become a new iteration on the trend of "whitehats" extorting donations from their victims. On a positive note, the attacker shared the complete source code for their exploit contract, making it an interesting case study. The DEPUSDT incident was embarrassing, as $100k was lost due to an exposed approval function without proper access control.
In terms of vulnerabilities, stack overflow and infinite loop vulnerabilities were discovered in the Move programming language used on Sui and Aptos chains. Additionally, a reward manipulation bug was found in OpenZeppelin's MerkleProof library.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
Crypto Detective ZachXBT Faces Defamation Lawsuit. Following the news, the community rallied behind Zach by donating over $1m to his defense fund. Unfortunately, the damage was already done as the lawsuit exposed ZachXBT’s real name inviting extortion attempts. Please be safe!
Avraham Eisenberg's criminal trial set for December 4 following SEC’s market manipulation charges from earlier this year.
Reports of a new transaction phishing variant called Sleepdropping which mimics token transfers with similarly named fake token contracts.
Cryptography 101: Building Blocks for Blockchain Security by OpenZeppelin.
Huff Basics - Video introduction to Huff by OpenZeppelin.
NFT attacks by Volodya.
Exploring ERC-4626: A Security Primer by Sina Pilehchiha (Zellic).
How we rescued funds from a bricked Safe with EIP-1271 by ydeployooor (Yearn).
A Guide to Ethereum Gas Fees and Ways to Reduce Them by Neptune Mutual.
Etherscan Code Reader - a tool that leverages the power of AI to provide users with the ability to retrieve and interpret the source code of a specific contract address.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.