BlockThreat - Week 30, 2023
Vyper | Curve | JPEGd | Metronome | Alchemix | CoinsPaid | EraLend | Pond0x
This week wraps up a brutal month of ever more costly compromises. There were 37 compromises in July with more than $462m in losses. To put it in perspective there were more losses this month alone than the entire past quarter ($461m).
This week there were 11 compromises this week with more than $110m in losses. The Vyper compiler bug alone was used to target 6 projects across Ethereum and BSC making up majority of losses. The Curve protocol had the most losses with $61m stolen ($5.4m returned by an MEV bot). The compromise itself was wild with whitehats fighting against the clock and MEV bots, wider ecosystem impact almost triggered DeFi meltdown due to potential liquidations, security companies being a bit trigger happy with disclosures. This is definitely a case study you want to read up on!
CoinsPaid revealed that it experienced a $37m hot wallet hack along with AlphaPo on the same day last week. It too eventually called North Korean state actors as the likely culprit behind the attack.
Law enforcement agencies around the world are working on enhancing their blockchain investigative capabilities by creating dedicated units and hiring analysis. We have also observed a spike in physical attacks on cryptocurrency owners with home invasions and a case of a gruesome murder.
It’s hard to find time to go through all of the research papers and panels with all the hacks and scam campaigns. So I hope you will take a note of fantastic work the blockchain security community is putting out there daily and revisit this week’s edition when we finally get a break.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
Top Security Incidents and Insights from April - June 2023 by OpenZeppelin.
Reports of an ongoing email phishing campaign using x[.]com domain targets crypto projects. The campaign is made possible by missing DMARC/DKIM records in x[.]com.
Kannagi Finance $1m rugpull write up by Rekt.
DeFiLabs $1.6m rugpull write up by Rekt.
Fake Approval Scam by Zokyo.
Apple Crimeware | Massive Rust Infostealer Campaign Aiming for macOS Sonoma Ahead of Public Release by Sentinel One. The malware is capable of emptying crypto wallets and comes disguised as crypto games.
Akira Ransomware is “bringin’ 1988 back” by Sophos.
Curta Archive - a suite of helper scripts and contracts enabling users to play and solve Curta puzzles regardless of whether submissions are open or closed on mainnet.
What does a project need to do to stay secure? with Patrick Collins (Cyfrin), tincho (The Red Guild), Alejandro (Immunefi), Josselin (Trail of Bits), Or (Trust).
Exclusive 2.5 Hours NEW Interview with Pashov by Johnny Time.
The Modular Summit Recordings on all things MEV.
How to Build a Crypto Project like an Aerospace Engineer by fubuloubu.
Mainnet Re-Entrancy Flaw Exploited by Daniel Luca.
Auditor’s Notes: Semantic Grep & Solidity 2.0 by OfficerCia (Pessimistic Security).
Web3 Security Distilled 2.0 by OfficerCia.
Smart Contract Auditing Heuristics by OpenCoreCH.
Etherscan verified source code forgery by pcaversaccio.
Solady's ERC1967Factory - A Deep Dive by gmhacker.
Solidity Compilers: Memory Safety by Robert Chen (OtterSec).
Web3 DevSecOps Thread by SunSec.
Endeavors into the zero-knowledge Halo2 proving system by Consensys Dilligence.
Exploring Cairo: A Security Primer by Zellic.
Zero Knowledge Mastery Library by Quillhash.
Amarna - a static-analyzer and linter for the Cairo programming language.
Etherscan Input Data Messages page with logs of on-chain messages.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial