More than $64,000,000 were stolen this week. The majority of losses came from the hot wallet compromise of AlphaPo, a cryptocurrency payment processor by a North Korean actor. The attack comes among increasing news of infrastructure and supply chain compromises like the Jump Cloud compromise, Github projects to target crypto developers, cloud services along with more direct spear phishing.

Things are not much better in the DeFi land. Conic was hit multiple time in a single day losing $3.6m with Read-only Reentrancy and Price Oracle Manipulation exploits while multiple projects on BSC reused the same vulnerable airdrop randomness generator and paid $230k for the mistake. The rest of the compromises continue the trend of Price Oracle and Reward Manipulation exploits making weekly reports blur together. Auditors, developers please focus on these two attack vectors in any part of your code that touches price data or calculates user payoffs.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

On the brighter side, last week featured a number of fantastic cryptocurrency conferences. DeFi Security Summit 2023 featured an extraordinary collection of talks on all facets of the blockchain security space from auditing and secure development to monitoring and incident response. I would recommend checking out my talk on The State of DeFi Security which features stats collected over many months of writing the newsletter including this year’s Top 10 DeFi Attack Vectors, Incident Response timelines, recommendations on how to secure our ecosystem, and a message that I hope will inspire you all to continue fighting the good fight.

And with that let’s dive into the news!

News

• Justice Department Revamps Crypto Enforcement Team. Double the number of prosecutors, a new director, and a new permanent place inside DoJ.

• Bitfinex Hack Money Launderers Plead Guilty.

• GitHub warns of Lazarus hackers targeting blockchain, cryptocurrency, and online gambling devs with malicious projects.

• Stolen Microsoft key offered widespread access to Microsoft cloud services.

• TRM Finds Mounting Evidence of Crypto Use by ISIS and its Supporters in Asia. The chain of choice for bad actors is Tron!

• Binance money processor Advcash looks like a Russian laundering op.

• UAE crypto scammer sentenced to 8 years in prison.

• Crypto whales targeted in wave of home invasions near Vancouver.

Scams

• Reports of ongoing ERC-1155 Sleepdrop scam by Forta.

• Rug pull losses reached $219m in H1 2023 according to PeckShield.

• Analysis of the $60M Anubis DAO rug pull by ZachXBT.

• Shell Protocol, PleasrDAO, Hayden Adams’ Twitter account hijacked to advertise a phishing site.

Malware

• Phylum Discovers Sophisticated Ongoing Attack on NPM.

Contests

• Secureum A-MAZE-X CTF 2023 Solutions by Patrick.

Media

• DeFi Security Summit 2023. Hard to pick a favorite talk because they were all excellent. I would recommend going through the playlist one by one. However, I would love to shill a couple of talks that myself and my colleague had a pleasure of delivering during the conference:

  • DeFi Security Summit 2023 - Session 1: DeFi Protocols 1 - Peter Kacherginsky.

  • DeFi security Summit 2023 - Session 13: Monitoring & Incident Response - Heidi Wilder.

• ETH CC 6 - 2023 featured a dedicated security track with 60 talks. There are too many to list here, but you can find individual talks in a respective Livestream Youtube link. Here are just a few that I had a chance to watch:

  • Mudit Gupta - Practical security vs theoretical security.

  • Mehdi Zerouali - Lessons from a seasoned web3 security firm.

  • Gal Sagie - You got Hacked, now What?

  • Matthias Egli & Julien Bouteloup - Top Hacks since EthCC ’22: what did we learn?

  • Daniel Von Fange - How to understand a hack.

  • Josselin Feist - Building secure contracts: Fuzzing like a pro.

  • Francisco Giordano - Incident response at OpenZeppelin Contracts and how to be in the loop.

  • Célim Starck - More Security for Mass Adoption.

• ETH Belgrade

  • Reducing smart contract hacks Panel w/ neburo, NPalinkasevic, engn33r.

  • 2 reasons why your project is getting hacked by Oliver Hörr (Hats Finance).

  • Adoption of Slither for enhancing smart contracts security by Nikita Kirillov (Pessimistic Security).

  • How we can front run crypto exploits before they happen by Evgeny Marchenko (Pessimistic Security).

  • From bytecode to bugs by Sifis Lagouvardos (Dedaub)

  • How to get the most out of your smart contract audit by Tomas Bayer ( Ackee Blockchain Security).

  • Honeypots - Hacker traps on the blockchain by Noah Jelich (Hacken).

Research

• The Top 10 Most Common Vulnerabilities In Web3 by Immunefi.

• How To Reproduce A Simple MEV Attack by Immunefi.

• Your Sandwich Is My Lunch: How To Drain MEV Contracts V2 by pepsipu (Zellic).

• Threshold Encrypted Mempools: Limitations and Considerations.

• Crypto bridges sins exposed. Exploiting weak spots of multi-chain protocols by deliriusz.

• solc Internals Part 3: Quirks & Optimizations by Tal.

• Fuzzing on-chain contracts with Echidna by Guillermo Larregay and Elvis Skozdopolj (Trail of Bits).

• A Comprehensive Guide to Arbitrum and its Security Features by Rob Behnke (Halborn).

Tools

• MetaSleuth Monitor - monitor a list of addresses for real-time funds movements.

• Transaction Allowlist - a set of supported transaction structures and conditions which will be allowed by the protocol.

• Semgrep rules for smart contracts by Decurity.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content