Greetings!
That was one heck of a week with $250M+ stolen across 6 incidents mostly attributed to a single hack of a centralized exchange. The worst part is that a number of hacks were easily preventable and in many cases projects’ owners knew about vulnerabilities that caused them. Let’s look look at a few of the more interesting ones in more detail.
The WazirX exchange hack was interesting, because unlike traditional hot wallet drains this one was exploited through an on-chain multi-sig hack. Attackers were able to obtain 3/5 signatures to upgrade the multi-sig smart contract which led to the eventual loss of funds. Interestingly the wallet and an additional +1 signature was managed by a third party - Liminal. There are competing reports on exactly how the three signatures were obtained. However, the most likely scenario is theft of two keys while the remaining third signature was obtained using a fake Liminal UI to sign a seemingly benign transaction. Money laundering tactics point to North Korean actors, which have previously shown advanced off- and on-chain capabilities when targeting multi-sig wallets such as the Axis Infinity hack.
Following the compromise WazirX attempted on-chain negotiation and even put a bounty for successful identification of attackers. Unfortunately nation-state actors are not the right candidates for either actions.
The lightning does strike the same place twice sometimes. Let’s review a growing number of hacks of projects that should have known better.
LiFi users lost more than $11M due to a now familiar arbitrary call exploit. Yes, the very same exploit used against the protocol in 2022 to steal $600K from 29 wallets. Was there no one left at LiFi to remember the hack?
Another example of a hack that should not have happened is the $500K+ compromise of the UPS contract. The very same exploit vector used against a different contract back in April. Again, why was there no analysis done of other vulnerable assets?
The Fractal ID verification platform hack cost 50K+ users their most private data such as phone numbers, wallet and physical addresses, and images of government documents. The worst part is the hack should have never happened! Attackers found credentials for a senior employee from a completely different hack. Password reuse, likely missing 2FA, special accounts which bypass other access controls are all examples of bad operational security practices.
a16z exposed AWS, Salesforce, Okta, Mailgun, and other keys in clear-text on their website. A security researcher responsibly disclosed the vulnerability, but I have a strong suspicion these were stolen and used for awhile.
There are more incidents this week which are borderline negligence, but the key here is to note an emerging trend. In our rush to ship we stopped not only learning from other projects’ mishaps, but we are now ignoring lesson from our own hacks.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.