BlockThreat - Week 3, 2024
Socket | Trezor | Rocket Pool | Trust Wallet
Just a few DeFi incidents this week with the majority of losses coming from the Socket’s bridge compromise. $3.3M stolen from users who appoved their tokens to the contract as a result of an arbitrary call vulnerability in a newly introduced route. The protocol went through the usual ransom negotiation to return about 70% of assets when accounting for recent market moves. The ransom appears to be significantly more than the usual 10%. Let’s hope this doesn’t become the new norm.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
HTX and Manta Network were hit with DDoS attacks with the latter attacked during a token issuance event.
X compromises continue along with now regular airdrop phishing campaigns leading to more user losses. A single user lost $4.2M to a permit-based phishing campaign.
Trezor’s 3rd party support portal was compromised which leaked PII on 66,000 customers. Was this yet another victim of Retool hack on August 29, 2023 or beginning of another cloud compromise wave?
Let’s dive into the news!
Casinos, Money Laundering, Underground Banking, and Transnational Organized Crime in East and Southeast Asia: A Hidden and Accelerating Threat by UNODC dives into international cryptocurrency mule network, underground exchanges, and other criminal networks.
Rocket Pool X account compromised to push a phishing link.
$4.2M drained from a user with a permit-based phishing kit.
Containerised Clicks: Malicious use of 9hits on vulnerable docker hosts by Cado Security.
Ethereum Smart Contract Auditor's 2023 Rewind by Patrick Drotleff.
Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018 by p0n1 and outoflegend (SecBit).
Mr Steal Yo Crypto - Jpeg Sniper by Proxy.
Rounding Bugs: An Analysis by Robert Chen (OtterSec).
Certora vs Echidna: a case study on invariant testing in eBTC by Nicanor (All things fuzzy).
Web3 Data Tools and Tips - 2024 Annual Guide by Andrew Hong. Indexers, Explorers, Query engines, Data Transformations, and ZK reverse ETL - the key components you need to understand to navigate crypto data.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.