Greetings!

Finally, some much needed good news this week.

The Bitfinex saga is coming to the end with a guilty plea and an admission that Lichtenstein was indeed the one who hacked the exchange 7 years ago. A massive $20m zero transfer phishing theft was stopped in time by Tether.

More than $50m was returned by Vyper attackers to Curve, Alchemix, and JPEGD projects. Once again, blackhats are being encouraged to turn to the light side with a significant bug bounty and may be a bit of doxxing. A $1.85m hunt was just declared on the remaining bad actor. Good luck!

LeetSwap protocol was hacked for $624k days before the official Base chain launch with an always unfortunate insufficient function access control exploit. Luckily developers were able to negotiate a 10% bounty and returned most of the stolen assets. Two other projects were hit with price oracle manipulation exploits for combined $367k in losses while another anonymous contract on Arbitrum lost $846k.

macOS crypto users need to remain vigilant as two new malware strains target their wallet keys and exchange credentials.

As always, this week features a fantastic collection of research papers. I would point you to a compilation of techniques to quickly enumerate vulnerable contracts using Dune, Smart Contract Fiesta, and other projects as well as a whitehacks toolkit the next time you need to spin up a rescue operation. Every minute counts as we learned from the Curve hack where the good guys were beaten by mere minutes.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Worldcoin Bug Allowed Anyone to Become Orb Operator.

• DeFi Rekt Report - $390m Funds Lost in July 2023.

• JPEGD and Alchemix returned all of the stolen funds with attacker sending a mocking message on-chain. More than $50m were returned from the Vyper-related compromises. Only one other wallet continues holding $18.5m in WETH and CRV tokens refusing to accept the whitehat bounty.

• Curve offering $1.85 million bounty for exploiter's identity (and conviction).

• OFAC Sanctions Crypto Address Associated With ISIS.

Crime

• Bitcoin launderer pleads guilty, admits to massive Bitfinex hack.

• U.S. SEC Sues Richard Heart, Hex, PulseChain on Unregistered Securities, Fraud Allegations.

• Two sentenced after Telecoin crypto scam ended by ‘Operation Curry’.

Scams

• FBI warns of scammers posing as NFT devs to steal your crypto.

• Monthly stolen NFT value declining alongside traders and volume.

• Zero transfer scammer steals $20M USDT, gets blacklisted by Tether.

• BALD $23m rugpull analysis by Rekt.

Malware

• The Massive macOS Threats Trending in the Dark Web by Guardz. The new macOS-HVNC malware is capable of steal crypto assets, logic credentials, and other sensitive data.

• New NodeStealer Variant Targeting Facebook Business Accounts and Crypto Wallets.

Contests

• MEV-Share CTF Writeups by minaminao.

Media

• ETH Barcelona featured a number of security related talks. Here are just a few that I had a chance to watch:

  • Security research as a public good for Ethereum - Tincho (The Red Guild).

  • The Blockchain Guardians: Safeguarding the Future of Ethereum Smart Contract Security - Luksgrin (Secureum, SpearbitDAO).

• How to Write Better Smart Contracts By Checking Them With Slither by Troy Sargent (Trail of Bits).

Research

• Establishing On-Chain Communication After an Incident by Slowmist.

• Becoming a web 3 security researcher: Balancing foundations and the attacker mindset by Joran Honig.

• Smart Contract Security Checklist.

• Callback-Function Reentrancy Attacks in Solidity - Reenter smart contracts via standardized callbacks by r4bbit.

• Force-feeding Smart Contract Attacks - How to influence a smart contract's internal accounting by r4bbit.

• LSD. Integration pitfalls by Pavel Morozov (MixBytes).

• Vyper Nonreentrancy Lock Vulnerability Technical Post-Mortem Report.

• Smart Contract Security Audit: Sudoswap v2 by Giovanni Di Siena (Cyfrin).

• Shared Vulnerabilities Between ERC-4626 Vaults and Vault-Like Contracts by Alexis Williams (Arbitrary Execution).

• Unmasking the Phantom: The Intricate Shadow Transactions Attack Deciphered by GoPlus Security.

• Computing a list of vulnerable Vyper contracts using Zellic’s Smart Contract Fiesta by cts.

• Computing a list of vulnerable Vyper contracts using Dune Analytics by Patrick Collins.

• Computing a list of vulnerable Vyper contracts using polars and parquet by banteg.

• Gas optimization resources by Jeffrey Sholz.

Tools

• Whitehacks Kit - A simple template to perform whitehacks safely in a single tx, leveraging Foundry and Flashbots.

• unchained-reader - tool for reading Unchained index files.

• solidity-audit-report-generator - a VS Code extension that automatically generates audit reports based on contest templates, ChatGPT, and // @audit comments.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content