What a wild week! Almost $128m were stolen this week across 9 incidents!
The Multichain compromise accounts for most of it with another private key compromise. Not a good trend for bridge security with PolyNetwork key compromise last week and now this. Protocol admins were able to halt the protocol, but not before $127m were gone. Multichain (aka Anychain) appeared several times in this newsletter before with multi-million hacks. However, the recent news of force majeure may have been the early warning we should have heeded.
Other protocols such as Bao Community, Bamboo AI, LUSD experienced the more traditional price oracle manipulation attacks while Arcadia Finance got hit with reentrancy. Azuki DAO hack was interesting to analyze with a rare signature replay exploit while an unfortunate AAVE fork on Multi chain experienced a good ole’ governance takeover.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Things are no easier on the phishing side with multiple Twitter account takeovers using SIM swapping ended up costing users $750k in stolen NFTs. Attackers also got more creative by abusing gas tokens coupled with fake approvals.
Oh and be sure to check out this week’s collection of research articles and latest tool listings for on-chain analysis and smart contract audits.
Let’s dive into the news!
News
He Got Arrested in Russia for a Bitcoin Bribe. Now the Coins Are Moving to Exchanges. I guess he forgot to share the pot with his superiors.
Bitfinex, US Homeland Security recover and return more than $300,000 from 2016 hack.
UK Lords Pass Bill to Help Seize and Freeze Crypto Used for Crime.
HACK3D: The Web3 Security Quarterly Report - Q2 2023 by CertiK.
The State of Web3 Security (Q1 + Q2) 2023 by QuillAudits.
Bank of International Settlements plans to protect CBDCs from DeFi cyber attacks called Project Polaris.
Critical TootRoot bug lets attackers hijack Mastodon servers.
Scams
Latest phishing scam abuses gas tokens to steal ETH using fake approvals.
Gutter Cat Gang, Aptos, LayerZero CEO Twitter accounts hacked. More than $750k were stolen by someone using SIM swapping to take over accounts.
Gutter Cat Gang Twitter Hacked, At Least $750K Worth of NFTs Swiped.
How Ransomware Groups Rely On Cheap (Stolen) Data to Launch Extortion Campaigns by TRM.
Crypto developer commits $2M rug pull fraud to fuel gambling addiction.
Malware
Contests
Oak Security CTF - July 10-17, 2023.
Media
BlockSplit - Behind the Scenes of Smart Contract Security Reviews by Engn33r.
Unchained - Circuit Breakers: Is ERC-7265 the Solution dApps Were Waiting For? with Philippe Dumonet.
Guide To Advanced Calldata | Everything You Need To Know by Owen Thurm.
Research
Cryptocurrency & NFT OSINT - Introduction to Web3/Ethereum Profiling & Deanonymization by Patrick Ventuzelo and Tanguy Laucournet.
With Trail to Follow: Measurements of Real-world Non-fungible Token Phishing Attacks on Ethereum.
Account Abstraction. Auditor’s View by Dmitri Zakharov (MixBytes).
Spearbit Armory - A one-stop shop for blockchain security researchers looking for educational material and alpha to level-up and get an edge on competition.
Bridge Hacks List by Chris Whinfrey.
Awesome Web3 AI Security by Joran Honig.
Awesome Threat Intelligence by hslatman.
Tools
An comprehensive overview of smart contract audit tools by RareSkills.
Utilities of Tracing Blockchain Transactions by Neptune Mutual.
circom-mutator - a mutation testing tool designed for the circom programming language.
cryo - the easiest way to extract blockchain data to parquet, csv, or json.
Upgradehub - smart contract upgrade code differ.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.