Greetings!
Almost $75M were stolen this week across 7 incidents. This week’s incidents continue the trend where the majority of losses have little to do with smart contracts. Insider threat (Holograph), web2 infra (CoinStats), hot wallet compromise (BTCTurk) all serve as a reminder to start paying more attention to security controls outside of smart contract audits. Even Ethereum Foundation was impacted after their mailing list dependency (SendPulse) was compromised to send phishing emails.
Interestingly, a lot of the previous private key related compromises such as CoinsPaid and Alex Lab have recently been attributed to the infamous Lazarus group. More than a few of this week’s hacks will soon join the growing list North Korean victims as well.
On the bright side, this week features an excellent collection of research articles covering vulnerability research and tools as well as on-chain investigations. So I hope you can take a break from incidents and catch up on the latest in blockchain security.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Oh and be sure to check out the Sectemplates initiative by Robert Auger in the Tools section which distills decades of traditional security into actionable templates and checklists. Let’s dive into the news!
Events
SecureFi 2024 - July 8-11. Brussels, Belgium.
News
Crime
Inside a Violent Gang's Ruthless Crypto-Stealing Home Invasion Spree. The same actor was previously arrested for attempted murder.
Colorado man pleads guilty in crypto investment fraud scheme.
Two arrests connected to suspected illegal £1 billion cryptoasset business.
Durham cryptocurrency theft case: man guilty in Greensboro - CBS17.com.
Policy
Phishing
Ethereum Foundation Warns of Compromised Mailing List Leading to Phishing Emails.
TON ecosystem flooded with phishing attacks, SlowMist warns.
Deepfakes of Elon Musk are pushing crypto giveaway scams on YouTube Live.
Scams
Media
Research
DeFi Security Breaches: Comprehensive Root Cause Analysis by SunWeb3Sec compiles 200+ incidents since 2021 in the Notion database.
The Dark Side of Crypto: zkSync Recovery Operation by armutbey.
Avalanchego RPC DoS vulnerability by jinu.
How to Write a Detector in Aderyn Step by Step by Zealynx Security.
Finding Denial of Service Bugs At Scale With Invariant Tests by Antonio Viggiano.
Finding mispriced opcodes with fuzzing by Max Ammann (Trail of Bits).
Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models by Sergei Glazunov and Mark Brand (Google Project Zero).
Ethereum Protocol Security Research team mission and research page.
Understanding Ethereum Mempool Security under Asymmetric DoS by Symbolized Stateful Fuzzing.
Tools
Introduction to the incident response release pack 1.0 by Robert Auger.
Introduction to the external penetration testing program pack 1.0 by Robert Auger.
zkSync-Paymaster-RescuETH - Paymaster contracts used in resue zkSync airdrop from exploited wallets, by RescuETH team..
Releasing Alloy 1.0 by Georgios Konstantopoulos, James Prestwich, Matthias Seitz, DaniPopes, Yash Atreya, Zerosnacks, Enrique Ortiz. Alloy is a complete ecosystem of extensible and well-documented libraries for interacting with Ethereum.
XSCAN - smart contract similarity and feature extraction. Continuously monitors deploys on mainnet, L2s, and testnets.
Sandwiched.me - Real-time Solana Sandwich monitor
urlDNA - a website analysis tool designed to provide detailed insights into URLs..
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.