BlockThreat - Week 26, 2023
JOKERSPY | PolyNetwork | Huobi | Themis | Biswap | Unagi
We are half-way through the year so we have a number of reports on the state of DeFi security. The total assets lost decreased from the same time last year. About $2b in H1 2022 to under $1b in H1 2023. Which makes sense considering we are in the bear market. However, the number of recorded incidents went up meaning that not only did attackers get more experienced but so did our compromise detection capabilities.
An unfortunate turn of events for Huobi which took a year to plug a leak in its AWS infra which exposed and allowed one to change customer trades, assets, etc. The vulnerability was reported by Aaron Phillips back in June 12, 2022 which strangely took down his blog post detailing the timeline and details of the breach.
More than $10.5m were stolen from DeFi projects this week, mostly from the PolyNetwork compromise spanning multiple chains where the attacker was able to mint arbitrary tokens using compromised private keys. The attack could have been much worse with $35b worth of BNB/BUSD minted on Metis chain which the attacker could not bridge due to limited liquidity. Other compromises like Biswap, Themis were the usual logic error/price oracle manipulation exploits while Unagi had to self-hack after discovering an access control exploit.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Stay safe and come by to my talk on The State of DeFi Security - 2023 if you are attending the DeFi Security Summit next week. Let’s dive into the news!
2023 Mid-Year Blockchain Security and AML Report by Slowmist.
De.Fi Rekt Report: Over $204m Lost in Q2 2023. The report also observes the decrease in monetary losses while also seeing 7x increase in incident count.
Illicit Crypto Ecosystem Report by TRM. According to the report Tron appears to be the preferred chain for terrorist financing.
NFT theft stats in June by Peckshield. $2.27m stolen with half of NFT sold on Blur/OpenSea within two hours.
Attack Deep Dive: Hard RugPull by Forta.
Reports of rise in scams targeting Azuki ecosystem.
Initial research exposing JOKERSPY by Elastic discusses a new malware used to infect an exchange in Japan.
Meduza Stealer: What Is It & How Does It Work? by Uptycs discusses a “comprehensive” password manager and crypto wallet stealer.
Open Research Problems in Rollup Design by Ethereum Engineering Group.
Mempool Masterclass - Mempool Monitoring 101 by Blocknative.
Security risks due to exchange rate manipulation of ibToken by ChainLight.
The zero-knowledge attack of the year might just have happened, or how Nova got broken by David Wong on a false proof attack in Nova.
You're writing require statements wrong - A new pattern for DeFi Smart Contract Security by Brock Elmore (Nascent).
Why Your Web3 Project Needs A Bug Bounty Program by Consensys Diligence.
Differential Fuzzing On Solidity Fixed-Point Libraries by 0xNorman (Ventral Digital).
Shared Vulnerabilities Between ERC-4626 Vaults and Vault-Like Contracts: Deep Dive Part 1 and Part 2 by Alexis Williams (Arbitrary Execution).
Huff Style Guide by Jtriley.
raw-tx - A script to generate a signed raw transaction with ethers by pcaversaccio.
reth-db-py - Python package allowing you to interact with the Reth DB via Python by gibz104.
Introducing Silverback - A Platform for Web3 Bots by ApeWorX.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.