Blockchain Threat Intelligence

Share this post

BlockThreat - Week 31, 2023

newsletter.blockthreat.io

BlockThreat - Week 31, 2023

Curve | Bitfinex | LeetSwap | Uwerx | HVNC

Peter Kacherginsky
Aug 7, 2023
∙ Paid
4
Share this post

BlockThreat - Week 31, 2023

newsletter.blockthreat.io
Share

Greetings!

Finally, some much needed good news this week.

The Bitfinex saga is coming to the end with a guilty plea and an admission that Lichtenstein was indeed the one who hacked the exchange 7 years ago. A massive $20m zero transfer phishing theft was stopped in time by Tether.

More than $50m was returned by Vyper attackers to Curve, Alchemix, and JPEGD projects. Once again, blackhats are being encouraged to turn to the light side with a significant bug bounty and may be a bit of doxxing. A $1.85m hunt was just declared on the remaining bad actor. Good luck!

LeetSwap protocol was hacked for $624k days before the official Base chain launch with an always unfortunate insufficient function access control exploit. Luckily developers were able to negotiate a 10% bounty and returned most of the stolen assets. Two other projects were hit with price oracle manipulation exploits for combined $367k in losses while another anonymous contract on Arbitrum lost $846k.

macOS crypto users need to remain vigilant as two new malware strains target their wallet keys and exchange credentials.

As always, this week features a fantastic collection of research papers. I would point you to a compilation of techniques to quickly enumerate vulnerable contracts using Dune, Smart Contract Fiesta, and other projects as well as a whitehacks toolkit the next time you need to spin up a rescue operation. Every minute counts as we learned from the Curve hack where the good guys were beaten by mere minutes.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

  • Worldcoin Bug Allowed Anyone to Become Orb Operator.

  • DeFi Rekt Report - $390m Funds Lost in July 2023.

  • JPEGD and Alchemix returned all of the stolen funds with attacker sending a mocking message on-chain. More than $50m were returned from the Vyper-related compromises. Only one other wallet continues holding $18.5m in WETH and CRV tokens refusing to accept the whitehat bounty.

  • Curve offering $1.85 million bounty for exploiter's identity (and conviction).

  • OFAC Sanctions Crypto Address Associated With ISIS.

Crime

  • Bitcoin launderer pleads guilty, admits to massive Bitfinex hack.

  • U.S. SEC Sues Richard Heart, Hex, PulseChain on Unregistered Securities, Fraud Allegations.

  • Two sentenced after Telecoin crypto scam ended by ‘Operation Curry’.

Scams

  • FBI warns of scammers posing as NFT devs to steal your crypto.

  • Monthly stolen NFT value declining alongside traders and volume.

  • Zero transfer scammer steals $20M USDT, gets blacklisted by Tether.

  • BALD $23m rugpull analysis by Rekt.

Malware

  • The Massive macOS Threats Trending in the Dark Web by Guardz. The new macOS-HVNC malware is capable of steal crypto assets, logic credentials, and other sensitive data.

  • New NodeStealer Variant Targeting Facebook Business Accounts and Crypto Wallets.

Contests

  • MEV-Share CTF Writeups by minaminao.

Media

  • ETH Barcelona featured a number of security related talks. Here are just a few that I had a chance to watch:

    • Security research as a public good for Ethereum - Tincho (The Red Guild).

    • The Blockchain Guardians: Safeguarding the Future of Ethereum Smart Contract Security - Luksgrin (Secureum, SpearbitDAO).

  • How to Write Better Smart Contracts By Checking Them With Slither by Troy Sargent (Trail of Bits).

Research

  • Establishing On-Chain Communication After an Incident by Slowmist.

  • Becoming a web 3 security researcher: Balancing foundations and the attacker mindset by Joran Honig.

  • Smart Contract Security Checklist.

  • Callback-Function Reentrancy Attacks in Solidity - Reenter smart contracts via standardized callbacks by r4bbit.

  • Force-feeding Smart Contract Attacks - How to influence a smart contract's internal accounting by r4bbit.

  • LSD. Integration pitfalls by Pavel Morozov (MixBytes).

  • Vyper Nonreentrancy Lock Vulnerability Technical Post-Mortem Report.

  • Smart Contract Security Audit: Sudoswap v2 by Giovanni Di Siena (Cyfrin).

  • Shared Vulnerabilities Between ERC-4626 Vaults and Vault-Like Contracts by Alexis Williams (Arbitrary Execution).

  • Unmasking the Phantom: The Intricate Shadow Transactions Attack Deciphered by GoPlus Security.

  • Computing a list of vulnerable Vyper contracts using Zellic’s Smart Contract Fiesta by cts.

  • Computing a list of vulnerable Vyper contracts using Dune Analytics by Patrick Collins.

  • Computing a list of vulnerable Vyper contracts using polars and parquet by banteg.

  • Gas optimization resources by Jeffrey Sholz.

Tools

  • Whitehacks Kit - A simple template to perform whitehacks safely in a single tx, leveraging Foundry and Flashbots.

  • unchained-reader - tool for reading Unchained index files.

  • solidity-audit-report-generator - a VS Code extension that automatically generates audit reports based on contest templates, ChatGPT, and // @audit comments.


Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.


Premium Content

Keep reading with a 7-day free trial

Subscribe to

Blockchain Threat Intelligence
to keep reading this post and get 7 days of free access to the full post archives.

Already a paid subscriber? Sign in
© 2023 Peter Kacherginsky
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing