Greetings!
Almost $75M were stolen this week across 7 incidents. This week’s incidents continue the trend where the majority of losses have little to do with smart contracts. Insider threat (Holograph), web2 infra (CoinStats), hot wallet compromise (BTCTurk) all serve as a reminder to start paying more attention to security controls outside of smart contract audits. Even Ethereum Foundation was impacted after their mailing list dependency (SendPulse) was compromised to send phishing emails.
Interestingly, a lot of the previous private key related compromises such as CoinsPaid and Alex Lab have recently been attributed to the infamous Lazarus group. More than a few of this week’s hacks will soon join the growing list North Korean victims as well.
On the bright side, this week features an excellent collection of research articles covering vulnerability research and tools as well as on-chain investigations. So I hope you can take a break from incidents and catch up on the latest in blockchain security.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Oh and be sure to check out the Sectemplates initiative by Robert Auger in the Tools section which distills decades of traditional security into actionable templates and checklists. Let’s dive into the news!