Greetings!

This week wraps up a brutal month of ever more costly compromises. There were 37 compromises in July with more than $462m in losses. To put it in perspective there were more losses this month alone than the entire past quarter ($461m).

This week there were 11 compromises this week with more than $110m in losses. The Vyper compiler bug alone was used to target 6 projects across Ethereum and BSC making up majority of losses. The Curve protocol had the most losses with $61m stolen ($5.4m returned by an MEV bot). The compromise itself was wild with whitehats fighting against the clock and MEV bots, wider ecosystem impact almost triggered DeFi meltdown due to potential liquidations, security companies being a bit trigger happy with disclosures. This is definitely a case study you want to read up on!

CoinsPaid revealed that it experienced a $37m hot wallet hack along with AlphaPo on the same day last week. It too eventually called North Korean state actors as the likely culprit behind the attack.

Law enforcement agencies around the world are working on enhancing their blockchain investigative capabilities by creating dedicated units and hiring analysis. We have also observed a spike in physical attacks on cryptocurrency owners with home invasions and a case of a gruesome murder.

It’s hard to find time to go through all of the research papers and panels with all the hacks and scam campaigns. So I hope you will take a note of fantastic work the blockchain security community is putting out there daily and revisit this week’s edition when we finally get a break.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

Events

• Flashbots CTF on August 5, 2023.

• TrustX 2023 coming November 13-14, 2023 in Istanbul, Turkey.

News

• U.S.-Listed Crypto Firms Will Need to Report Cybersecurity Breaches.

• Top Security Incidents and Insights from April - June 2023 by OpenZeppelin.

• An onslaught of hacks in the Web3 Ecosystem: What Security Risks to Watch out for in H2 2023? by Beosin.

• Telegram crypto trading bots spark fears over security vulnerabilities.

• Amid Sanctions, Bitcoin Mining Machines Are ‘Flowing’ Into Russia, as Industry Thrives.

• On-Chain Ransomware - The Conti Group: Part One by CertiK.

Crime

• UK crime agency scouts for seasoned crypto investigators.

• South Korea Rolls Out Interagency Investigation Unit to Tackle Crypto Crime.

• 2 wanted after elderly Durham couple robbed of $156,000+ in cryptocurrency during brutal armed home invasion.

• Missing millionaire crypto influencer found dismembered in suitcase.

Scams

• Reports of an ongoing email phishing campaign using x[.]com domain targets crypto projects. The campaign is made possible by missing DMARC/DKIM records in x[.]com.

• Scammers pile on to impersonate Worldcoin on Twitter following token launch.

• Beware of Covert Rug Pulls, Exit Scams Driven by Contract Storage Manipulation by SlowMist.

• Kannagi Finance $1m rugpull write up by Rekt.

• DeFiLabs $1.6m rugpull write up by Rekt.

• Fake Approval Scam by Zokyo.

Malware

• Apple Crimeware | Massive Rust Infostealer Campaign Aiming for macOS Sonoma Ahead of Public Release by Sentinel One. The malware is capable of emptying crypto wallets and comes disguised as crypto games.

• Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns and Crypto Jacking by Trend Micro.

• Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining.

• Akira Ransomware is “bringin’ 1988 back” by Sophos.

Contests

• Curta Archive - a suite of helper scripts and contracts enabling users to play and solve Curta puzzles regardless of whether submissions are open or closed on mainnet.

• RACE #20 Of The Secureum Bootcamp Epoch∞ solution by Patrick.

• AMM Spot the Bug Challenge and Solution by 0xfave.

Media

• What does a project need to do to stay secure? with Patrick Collins (Cyfrin), tincho (The Red Guild), Alejandro (Immunefi), Josselin (Trail of Bits), Or (Trust).

• Exclusive 2.5 Hours NEW Interview with Pashov by Johnny Time.

• The Modular Summit Recordings on all things MEV.

Research

• How to Build a Crypto Project like an Aerospace Engineer by fubuloubu.

• Turn the Rudder: A Beacon of Reentrancy Detection for Smart Contracts on Ethereum.

• Attacks on Dynamic DeFi Interest Rate Curves.

• Mainnet Re-Entrancy Flaw Exploited by Daniel Luca.

• Exploiting Signature Verification Vulnerabilities in Smart Contracts by Heuss.

• Collaborative Testing with Phalcon Fork — “Damn Vulnerable DeFi” as an Example by BlockSec.

• Auditor’s Notes: Semantic Grep & Solidity 2.0 by OfficerCia (Pessimistic Security).

• Web3 Security Distilled 2.0 by OfficerCia.

• Smart Contract Auditing Heuristics by OpenCoreCH.

• Etherscan verified source code forgery by pcaversaccio.

• Why are you not an Elite Smart Contract Security Researcher? by gmhacker.

• Solady's ERC1967Factory - A Deep Dive by gmhacker.

• Solidity Compilers: Memory Safety by Robert Chen (OtterSec).

• Dissecting EVM using go-ethereum Eth client implementation. Part I — transaction execution flow by deliriusz.

• Dissecting EVM using go-ethereum Eth client implementation. Part II — EVM by deliriusz.

• Dissecting EVM using go-ethereum Eth client implementation. Part III — bytecode interpreter by deliriusz.

• Smart Contract Migration: Security Analysis and Recommendations from Ethereum to Arbitrum.

• Web3 DevSecOps Thread by SunSec.

• How does the False Top-up attack break through the defense of the exchange? by SlowMist.

• Content Censorship in the InterPlanetary File System.

• SoK: Design, Vulnerabilities and Defense of Cryptocurrency Wallets.

• Endeavors into the zero-knowledge Halo2 proving system by Consensys Dilligence.

• Exploring Cairo: A Security Primer by Zellic.

• Zero Knowledge Mastery Library by Quillhash.

Tools

• Amarna - a static-analyzer and linter for the Cairo programming language.

• Etherscan Input Data Messages page with logs of on-chain messages.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content