BlockThreat - Week 27, 2023
Multichain | Arcadia | Azuki | Rodeo | Kraken
What a wild week! Almost $128m were stolen this week across 9 incidents!
The Multichain compromise accounts for most of it with another private key compromise. Not a good trend for bridge security with PolyNetwork key compromise last week and now this. Protocol admins were able to halt the protocol, but not before $127m were gone. Multichain (aka Anychain) appeared several times in this newsletter before with multi-million hacks. However, the recent news of force majeure may have been the early warning we should have heeded.
Other protocols such as Bao Community, Bamboo AI, LUSD experienced the more traditional price oracle manipulation attacks while Arcadia Finance got hit with reentrancy. Azuki DAO hack was interesting to analyze with a rare signature replay exploit while an unfortunate AAVE fork on Multi chain experienced a good ole’ governance takeover.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Things are no easier on the phishing side with multiple Twitter account takeovers using SIM swapping ended up costing users $750k in stolen NFTs. Attackers also got more creative by abusing gas tokens coupled with fake approvals.
Oh and be sure to check out this week’s collection of research articles and latest tool listings for on-chain analysis and smart contract audits.
Let’s dive into the news!
He Got Arrested in Russia for a Bitcoin Bribe. Now the Coins Are Moving to Exchanges. I guess he forgot to share the pot with his superiors.
The State of Web3 Security (Q1 + Q2) 2023 by QuillAudits.
Latest phishing scam abuses gas tokens to steal ETH using fake approvals.
Oak Security CTF - July 10-17, 2023.
BlockSplit - Behind the Scenes of Smart Contract Security Reviews by Engn33r.
Unchained - Circuit Breakers: Is ERC-7265 the Solution dApps Were Waiting For? with Philippe Dumonet.
Guide To Advanced Calldata | Everything You Need To Know by Owen Thurm.
Cryptocurrency & NFT OSINT - Introduction to Web3/Ethereum Profiling & Deanonymization by Patrick Ventuzelo and Tanguy Laucournet.
Account Abstraction. Auditor’s View by Dmitri Zakharov (MixBytes).
Spearbit Armory - A one-stop shop for blockchain security researchers looking for educational material and alpha to level-up and get an edge on competition.
Bridge Hacks List by Chris Whinfrey.
Awesome Web3 AI Security by Joran Honig.
Awesome Threat Intelligence by hslatman.
An comprehensive overview of smart contract audit tools by RareSkills.
Utilities of Tracing Blockchain Transactions by Neptune Mutual.
circom-mutator - a mutation testing tool designed for the circom programming language.
cryo - the easiest way to extract blockchain data to parquet, csv, or json.
Upgradehub - smart contract upgrade code differ.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial