Greetings!

That was one heck of a week with $250M+ stolen across 6 incidents mostly attributed to a single hack of a centralized exchange. The worst part is that a number of hacks were easily preventable and in many cases projects’ owners knew about vulnerabilities that caused them. Let’s look look at a few of the more interesting ones in more detail.

The WazirX exchange hack was interesting, because unlike traditional hot wallet drains this one was exploited through an on-chain multi-sig hack. Attackers were able to obtain 3/5 signatures to upgrade the multi-sig smart contract which led to the eventual loss of funds. Interestingly the wallet and an additional +1 signature was managed by a third party - Liminal. There are competing reports on exactly how the three signatures were obtained. However, the most likely scenario is theft of two keys while the remaining third signature was obtained using a fake Liminal UI to sign a seemingly benign transaction. Money laundering tactics point to North Korean actors, which have previously shown advanced off- and on-chain capabilities when targeting multi-sig wallets such as the Axis Infinity hack.

Following the compromise WazirX attempted on-chain negotiation and even put a bounty for successful identification of attackers. Unfortunately nation-state actors are not the right candidates for either actions.

The lightning does strike the same place twice sometimes. Let’s review a growing number of hacks of projects that should have known better.

LiFi users lost more than $11M due to a now familiar arbitrary call exploit. Yes, the very same exploit used against the protocol in 2022 to steal $600K from 29 wallets. Was there no one left at LiFi to remember the hack?

Another example of a hack that should not have happened is the $500K+ compromise of the UPS contract. The very same exploit vector used against a different contract back in April. Again, why was there no analysis done of other vulnerable assets?

The Fractal ID verification platform hack cost 50K+ users their most private data such as phone numbers, wallet and physical addresses, and images of government documents. The worst part is the hack should have never happened! Attackers found credentials for a senior employee from a completely different hack. Password reuse, likely missing 2FA, special accounts which bypass other access controls are all examples of bad operational security practices.

a16z exposed AWS, Salesforce, Okta, Mailgun, and other keys in clear-text on their website. A security researcher responsibly disclosed the vulnerability, but I have a strong suspicion these were stolen and used for awhile.

There are more incidents this week which are borderline negligence, but the key here is to note an emerging trend. In our rush to ship we stopped not only learning from other projects’ mishaps, but we are now ignoring lesson from our own hacks.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

Events

• Underhanded Solidity Contest 2024.

News

• Pressure Grows in Congress to Treat Crypto Investigator Tigran Gambaryan, Jailed in Nigeria, as a Hostage just as the case won’t resume until October as judge goes on holiday and the prison doctor faces arrest. How about a prisoner exchange? A hundred Nigerian princes for a single good man.

• CrowdStrike caused Windows outage chaos for airports, banks, and more.

• North Korean hackers are infiltrating crypto job boards in a ‘quiet war’ that rakes in $600m. Luckily they are easy to spot.

• Investors say Bitfinex, like Alameda, had negative balance override.

• Gemini reaches settlement with IRA Financial Trust over $36M exploit.

• Ethereum Mixer Tornado Cash Has Received Almost $2 Billion in 2024 Despite Sanctions.

• Virgil Griffith is coming home!

Crime

• Judge Refers Craig Wright for Criminal Prosecution in Bitcoin Case. Faketoshi has since updated his website with a notice admitting the lie, but who is going to compensate millions in legal fees and years of stress caused by this man weaponizing the legal system?

• Introducing Chainalysis Operation Spincaster: An Ecosystem-Wide Initiative To Disrupt and Prevent Billions in Losses to Crypto Scams by Chainalysis.

• Ransomware Summer: Attacks Heated up, but so Has the Global Response by TRM.

• Cryptocurrency Firm Executive Admits Stealing $4.46 Million from Employer.

• Hong Kong police arrest 3, seize bundles of fake banknotes after HK$3.1 million crypto scam.

• Three arrests made in relation to Metamax pyramid scheme.

• U.S. Senator Who Called Bitcoin 'Ideal Choice for Criminals,' Convicted of Bribery. Gold bars were less ideal choice for this criminal.

• Nigeria Police Arrest Self-Proclaimed Crypto Billionaire on Charges of Cryptocurrency Fraud and Terrorism Funding.

• FBI details how USDT is laundered through Binance.

Policy

• Overturning Of Chevron And Its Impact On Cryptocurrency.

Phishing

• Scammers target crypto services firms with Zoom malware links.

• Scammer returns $9.3M DAI to victim 10 months after phishing them.

• New ‘overlay attacks’ are a growing threat to crypto users.

Scams

• ETHTrustFund by Rekt on another $2M rug pull.

• Fake ‘professors’ use phoney loans to trick victims in latest crypto scam.

Contests

• Damn Vulnerable DeFi v4.

Research

• EEA DeFi Risk Assessment Guidelines - Version 1.

• how to pwn a billion dollar vc firm using inspect element by xyzeva. AWS, Salesforce, Okta, Mailgun, and other keys exposed on a16z’s website in clear text. Refuses to pay bug bounty?!

• Raydium Tick Manipulation Bugfix Review by Immunefi.

• Ethereum Foundation Mailing List compromise root cause analysis. Using “Sign in with Google” 0day to bypass authentication flow.

• Here's the story of how we whitehatted $1k from a telegram bot by deebeez.

• Detect Llama -- Finding Vulnerabilities in Smart Contracts using Large Language Models.

• Demystifying Invariant Effectiveness for Securing Smart Contracts.

• OpenTracer: A Dynamic Transaction Trace Analyzer for Smart Contract Invariant Generation and Beyond.

• The Feasibility of a Smart Contract "Kill Switch".

• Bribe & Fork: Cheap Bribing Attacks via Forking Threat.

• Improving the Accuracy of Transaction-Based Ponzi Detection on Ethereum.

Tools

• Spice - Simple python client for extracting data from the Dune Analytics API by storm (Paradigm).

• rindexer - This tool allows you to index chain events using a simple YAML file, requiring no additional coding.

• Reth Execution Extension (ExEx) Examples by Paradigm.

• Gaboon - A fast, pythonic, Vyper smart contract testing and development framework by Cyfrin. Video tutorial by Patrick Collins.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content