Hey folks,
Almost $8.5M were stolen this week across 5 incidents with the majority coming from just one supply chain incident on Bittensor network. Let’s take a closer look, but first a quick word from this week’s sponsors - code4rena! They have not only fun, but also impactful contest coming up so be sure to check out the details below:
Are you ready for the most interesting competitive audit of the summer?
Optimism Fault Proofs are ready and will soon be deployed across the Superchain. This is mission critical code that will secure over $15bn in assets.
If you’re interested in learning how fault proofs work and doing your part to secure them, block your calendar for July 15-29.
https://code4rena.com/audits/2024-07-optimism-superchain
A number of Bittensor node operators were compromised after downloading a backdoored package from PyPi in late May. Attackers carefully planned and executed the attack to drain high value wallets in just 9 minutes. Supply chain attacks happen. However, Bittensor’s security team really stood up to the challenge when responding to the incident:
Effective on-chain monitoring. Anomalous transactions detected and war room started within 20 minutes of the attack.
Fast triage. It took the team just 20 minutes to triage the event, determine it’s a real attack, and initiate the incident response process.
Existing incident playbooks. The team knew exactly how to stop the bleeding by putting the chain in the “safe mode”.
Tracking funds. Engaged exchanges to track and freeze stolen funds.
Capable investigators. Successfully narrowed down the victim set and identified the supply chain attack in just a day.
Thorough. Kicked off code reviews of all repos and not rushing the relaunch.
Great communication. Continuous updates on Twitter, Telegram and Discord throughout the incident and in-depth post-mortems available daily.
The above is probably as good of a response as one could hope for. However, in the field where exploits last minutes, human-centric response will often lag behind while automated response is not mature enough to fully trust with major on-chain events.
The other concern one might raise with the incident is the centralized control exercised by the Bittensor team. The same issue is frequently raised around Ethereum L2s and side chains. In fact, only a month earlier Linea halted the chain to respond to the $7M Velocore compromise.
It’s a tricky subject with extreme views on both sides of the argument. Building an emergency lever like Bittensor’s “safe mode” to buy precious time for incident responders could actually raise user trust. Centralization risk could be address by sufficiently distributing who can pull it or even better deployed as an automated circuit breaker when a critical on-chain invariant is broken (e.g. asset supply just doubled through an unauthorized mint).
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
News
Introducing Safe Harbor: Your Last Line of Defense Against Active Exploits. DeFi projects can now enroll on Immunefi’s Safe Harbor website.
CryptoISAC luanched as a community of CeFi, DeFi, audit, infrastructure, and other cryptocurrency-related projects.
Twilio says hackers identified cell phone numbers of two-factor app Authy users. 33M Authy users should expect phishing 2FA texts in the near future.
New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems.
Binance Executive's Health Deteriorates in Jail as Nigeria Money-Laundering Trial Proceeds.
Arrested Samourai Wallet co-founder to be released on bail, will contest charges.
After a 10-Year Wait, Mt. Gox Bitcoin Is Finally Being Returned.
Consensys acquires Wallet Guard to help protect MetaMask users against hacks and scams.
Thefts From Hacks and Exploits Surge in First Half of 2024 by TRM.
HACK3D: The Web3 Security Report Q2 + H1 | 2024 Edition by CertiK.
2024 Mid-year Blockchain and AML Report by CertiK.
2024 Q2 MistTrack Stolen Funds Analysis by SlowMist.
Half Yearly Security Report 2024 by QuillAudits.
Crime
Kidnappers Demand $600K in Crypto: Hong Kong Parents Forced to Pay USDT Ransom for Toddler's Return.
Man arrested with nearly $600K worth of stolen bitcoin-mining computers, police say.
Policy
Coinbase continues to fight for access to Gensler’s private emails.
Russian regulator encourages use of crypto to counter sanctions.
Digital Chamber Urges SEC to End Attacks on Crypto Industry, Embrace Future of Finance.
Phishing
blog.ethereum.org mailing list incident by Ethereum Foundation. 35k+ phishing emails were sent out with a link to a drainer.
Karma served: Pink Drainer gets hit with address poisoning scam.
Inferno Drainer is active again by SlowMist. The drainer group reportedly stopped operating in November last year.
Fake X accounts lead to record-setting crypto phishing attacks of $341 million.
Coinbase-posing scammers steal $1.7M from a user amid a string of attacks.
Another Pendle user lost $1.4 million to phishing scams by Scam Sniffer.
Sydney Sweeney, Metallica, Cyber and more celebrity and crypto X accounts compromised to distribute links to drainers.
Baiting address poisoners for profit by Nick Bax.
Details of a new scheme to steal cryptocurrency and Telegram accounts have been revealed by Kaspersky.
Scams
Malware
Media
Getting your security under Kontrol by Palina Tolmach, Runtime Verification (Russian).
Abusing the Smart Contract Verification Services for Fun and Profit by Lucas Ma (Mandarin). Paper.
Research
Safe Harbor: The Making of a New Security Standard by Mitchell Amador.
How Financial Surveillance Threatens Our Democracies Part 1 and Part 2 by Alexandre Stachtchenko.
WETH Invariant Testing tutorial using Foundry by horsefacts.
Intel TDX Security and Side Channels by Pradyumna Shome.
Traditional Security - the next frontier for Web3 Security by gmhacker.
The second preimage attack for Merkle Trees in Solidity by RareSkills.
Dual-view Aware Smart Contract Vulnerability Detection for Ethereum.
Real-time Cyberattack Detection with Collaborative Learning for Blockchain Networks.
A Context-Driven Approach for Co-Auditing Smart Contracts with The Support of GPT-4 code interpreter.
Two parser bug thread by Daniel Von Fange explores what happens when the same input is interpreted by two different implementations.
Tools
rbuilder - an Ethereum block builder written in Rust with a focus on performance, modularity, and contributor friendliness.
Manta Network and Blocksec Announce the Sequencer Threat Overwatch Program (STOP).
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.