BlockThreat - Week 25, 2023
Euler | PlugwalkJoe | Astaria | Shido | Baby Doge | Z-Era
Greetings!
It’s never a dull week in blockchain security. The Euler Finance hacker decided to now fully reveal himself including his full name, twitter and instagram accounts. Read more about the Frederico in the exclusive interview linked in the News section. Speaking of criminals, PlugwalkJoe has now been officially sentenced to 5 years in jail for his role in the mass SIM swapping spree.
This week also features a number of great reports including Mandiant’s M-Trends covering North Korea’s crypto-related operations, research articles with the latest smart contract auditor tips and tricks, and plenty of tools to boost your capabilities.
There were a few notable compromises totaling almost $650k in losses. Astaria white hat hack was particularly curious. While no funds were stolen, uninitialized proxy contracts can be deadly to your protocol’s survival. Other protocols like Baby Doge (again), Shido, and others suffered from the more traditional price oracle and reward manipulation classes of attacks.
To gain access to detailed write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
Events
DeFi Security Summit - July 15, 2023.
Blockchain Security Summit 2023 - October 5, 2023.
News
Euler Finance attacker revealed their full name, social media accounts.
Five US enforcement agencies form new digital currency anti-crime task force.
Israeli authorities seize crypto from terror organizations, credit new technology.
M-Trends Special Report 2023 by Mandiant including the latest analysis of crypto stealers, North Korean crypto-related operations, and other topics.
Typologies Report 2023 for Law Enforcement by Elliptic.
Crime
Scams
$1.25 million stolen in NFT Airdrop Phishing Scam linked to Inferno Drainer by Scam Sniffer.
A $60 million wallet theft. Beosin KYT Reveals the Hackers’ Money Laundering Tactics used by Atomic Wallet attackers.
Vires Finance on WAVES rug pull investigation by Wazz.
Slingshot Twitter account compromised and used to phish users with Pink Drainer by Scam Sniffer.
Malware
Contests
Decently Safe Defi by toastedsteaksandwich.
Media
We Crack a Hardware Wallet LIVE!! (w/ Hardisk) by Unciphered.
Research
Lowest-paying findings on Code4rena and Sherlock by Volodya.
Auditors: what do you ask developers? by tincho.
The Role of Access Control in Solidity Smart Contracts by Paweł Kuryłowicz (Composable Security).
One more problem with ERC777 by Daniil Ogurtsov (MixBytes).
BRC20 protocol gotchas by bytes032.
Awesome Tezos Security by Sm4rty.
Solidity Gas Optimizations 101 by 0xlchigo.
The Ultimate Guide to Supply Chain Security in the Web3 Industry by Slowmist.
BrutePrint: Expose Smartphone Fingerprint Authentication to Brute-force Attack.
Tools
Enso Transaction Simulator - Ethereum transaction simulator leveraging Foundry's codebase.
BrokenToken - a tool designed to automatically test smart contracts that interact with ERC20 tokens for unexpected behavior that may result in exploits.
mev-share-rs - ust utils for MEV-share.
Alloy - Fast, battle-tested and well-documented building blocks for Ethereum, in Rust.
Releasing Reth! by Georgios Konstantopoulos (Paradigm).
SmartBugs - A Framework for Analysing Ethereum Smart Contracts.
Titanoboa - A Vyper interpreter with pretty tracebacks, forking, debugging features and more!
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.