What a wild week! Almost $128m were stolen this week across 9 incidents!

The Multichain compromise accounts for most of it with another private key compromise. Not a good trend for bridge security with PolyNetwork key compromise last week and now this. Protocol admins were able to halt the protocol, but not before $127m were gone. Multichain (aka Anychain) appeared several times in this newsletter before with multi-million hacks. However, the recent news of force majeure may have been the early warning we should have heeded.

Other protocols such as Bao Community, Bamboo AI, LUSD experienced the more traditional price oracle manipulation attacks while Arcadia Finance got hit with reentrancy. Azuki DAO hack was interesting to analyze with a rare signature replay exploit while an unfortunate AAVE fork on Multi chain experienced a good ole’ governance takeover.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Things are no easier on the phishing side with multiple Twitter account takeovers using SIM swapping ended up costing users $750k in stolen NFTs. Attackers also got more creative by abusing gas tokens coupled with fake approvals.

Oh and be sure to check out this week’s collection of research articles and latest tool listings for on-chain analysis and smart contract audits.

Let’s dive into the news!

News

• Kraken Co-Founder Jesse Powell Under Federal Investigation on Claims of Hacking, Cyberstalking Non-Profit.

• He Got Arrested in Russia for a Bitcoin Bribe. Now the Coins Are Moving to Exchanges. I guess he forgot to share the pot with his superiors.

• Bitfinex, US Homeland Security recover and return more than $300,000 from 2016 hack.

• UK Lords Pass Bill to Help Seize and Freeze Crypto Used for Crime.

• HACK3D: The Web3 Security Quarterly Report - Q2 2023 by CertiK.

• The State of Web3 Security (Q1 + Q2) 2023 by QuillAudits.

• Bank of International Settlements plans to protect CBDCs from DeFi cyber attacks called Project Polaris.

• Critical TootRoot bug lets attackers hijack Mastodon servers.

Scams

• Latest phishing scam abuses gas tokens to steal ETH using fake approvals.

• Gutter Cat Gang, Aptos, LayerZero CEO Twitter accounts hacked. More than $750k were stolen by someone using SIM swapping to take over accounts.

• Gutter Cat Gang Twitter Hacked, At Least $750K Worth of NFTs Swiped.

• How Ransomware Groups Rely On Cheap (Stolen) Data to Launch Extortion Campaigns by TRM.

• Crypto developer commits $2M rug pull fraud to fuel gambling addiction.

• The crypto scam that wasn’t: 2 teens reportedly stole $4.2 million in Bitcoin and Ethereum. Police say it never happened.

Malware

• Fake Blockchain Games Deliver RedLine Stealer & Realst Stealer — A New macOS Infostealer Malware.

Contests

• Oak Security CTF - July 10-17, 2023.

Media

• BlockSplit - Behind the Scenes of Smart Contract Security Reviews by Engn33r.

• Unchained - Circuit Breakers: Is ERC-7265 the Solution dApps Were Waiting For? with Philippe Dumonet.

• Guide To Advanced Calldata | Everything You Need To Know by Owen Thurm.

Research

• Cryptocurrency & NFT OSINT - Introduction to Web3/Ethereum Profiling & Deanonymization by Patrick Ventuzelo and Tanguy Laucournet.

• With Trail to Follow: Measurements of Real-world Non-fungible Token Phishing Attacks on Ethereum.

• Account Abstraction. Auditor’s View by Dmitri Zakharov (MixBytes).

• Pre-deployment Analysis of Smart Contracts -- A Survey.

• Spearbit Armory - A one-stop shop for blockchain security researchers looking for educational material and alpha to level-up and get an edge on competition.

• Question until it crashes - A question-driven approach to review code that led to uncover a bug in Lido's oracles by tincho.

• Bridging Databases Part 1 and Part 2 by Patrick McCorry.

• Bridge Hacks List by Chris Whinfrey.

• Awesome Web3 AI Security by Joran Honig.

• Awesome Threat Intelligence by hslatman.

Tools

• An comprehensive overview of smart contract audit tools by RareSkills.

• Utilities of Tracing Blockchain Transactions by Neptune Mutual.

• circom-mutator - a mutation testing tool designed for the circom programming language.

• cryo - the easiest way to extract blockchain data to parquet, csv, or json.

• Upgradehub - smart contract upgrade code differ.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content