Dear reader,

This week brought concerning news of a lawsuit targeting one of the respected figures in our industry, ZachXBT. As Zach described it, this case resembles David vs Goliath, with the plaintiff, Machi Big Brother, wielding significant financial resources to advance their agenda while putting one of the few industry’s good actors at risk.

Speaking of malicious actors, the Euler attacker seems determined to stay in the spotlight. First, they revealed their location, followed by their Twitter handle and name. Regardless of any deals made with Euler, it seems they are eager to have their day in court shortly after the conclusion of the Eisenberg case.

There were nine notable compromises resulting in nearly $23 million in losses. The majority of these losses stemmed from the hack of Floating Point Group (FPG), a centralized crypto prime broker. The Hashflow hack was particularly intriguing, with the attacker stealing $600k and setting up a contract where users could recover their stolen assets with an optional donation. Hopefully, this doesn't become a new iteration on the trend of "whitehats" extorting donations from their victims. On a positive note, the attacker shared the complete source code for their exploit contract, making it an interesting case study. The DEPUSDT incident was embarrassing, as $100k was lost due to an exposed approval function without proper access control.

In terms of vulnerabilities, stack overflow and infinite loop vulnerabilities were discovered in the Move programming language used on Sui and Aptos chains. Additionally, a reward manipulation bug was found in OpenZeppelin's MerkleProof library.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Crypto Detective ZachXBT Faces Defamation Lawsuit. Following the news, the community rallied behind Zach by donating over $1m to his defense fund. Unfortunately, the damage was already done as the lawsuit exposed ZachXBT’s real name inviting extortion attempts. Please be safe!

• The truth of The Red Guild - The true lore of The Red Guild, and why it matters for Ethereum.

• Avraham Eisenberg's criminal trial set for December 4 following SEC’s market manipulation charges from earlier this year.

• Euler hacker returns with cryptic messages: ‘Don’t be stupid. Don’t steal’.

• Cryptocurrency Mining Pools and Money Laundering: Two Real World Examples by Chainalysis.

• Enterprise Ethereum Alliance (EEA) EthTrust Security Levels Specification (Editor’s Draft).

Scams

• School kids are stealing millions of dollars of NFTs — to buy Roblox skins.

• Reports of a new transaction phishing variant called Sleepdropping which mimics token transfers with similarly named fake token contracts.

Malware

• New Mystic Stealer malware increasingly used in attacks.

• From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet.

Media

• Cryptography 101: Building Blocks for Blockchain Security by OpenZeppelin.

• Huff Basics - Video introduction to Huff by OpenZeppelin.

• Dravee: Mindsets of Auditing

Research

• Leveraging Machine Learning for Multichain DeFi Fraud Detection.

• Cross Chain Bribery Contracts: Majority vs Mighty Minority.

• NFT attacks by Volodya.

• Uncovering a High Severity Access Control Vulnerability: Lessons from Auditing Contests by Johnny Time.

• Exploring ERC-4626: A Security Primer by Sina Pilehchiha (Zellic).

• Without the Foundation of Web2 Security, There Is No Web3 Security by Numen.

• How we rescued funds from a bricked Safe with EIP-1271 by ydeployooor (Yearn).

• A Guide to Ethereum Gas Fees and Ways to Reduce Them by Neptune Mutual.

Tools

• Arbiter - EVM Logic Simulator for Security and Performance Testing by Spearbit.

• Etherscan Code Reader - a tool that leverages the power of AI to provide users with the ability to retrieve and interpret the source code of a specific contract address.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content