Greetings!
More than $6.7M were stolen this week across 4 incidents with really unique attack vectors. Let’s explore some of the more interesting exploits.
Blockchain-level exploits are not as rare as they used to be. Only last week we covered the $6.7M Casper Network auth bypass hack. This week the infamous Terra network was exploited to steal $6M from Astroport. What’s unfortunate is the exploit vector was well known and patched since April; however, it got reintroduced in the recent upgrade. Here are a few takeaways from the incident:
Short staffed teams are more likely to take short cuts during code reviews which are deadly in blockchain security.
Cosmos contracts may leak user and compiler information which are great for investigators! Who is Tuan Pa?
Cosmos ecosystem appears to have a high instance of chain vulnerabilities.
The Compound Finance governance attack resembles a corporate hostile takeover more closely than a security exploit. It’s still an interesting case study in properly protecting DeFi governance. Without timelocks and execution delays for governance proposals or a “guardian” role to veto potentially damaging transactions, Compound ecosystem could only watch how just a few active participants (57) were able to pass the transfer of $25M worth of COMP tokens. Check out AAVE’s governance system which integrates a number of security controls to protect against similar scenarios.
The paid version of the newsletter includes detailed indicators and post-mortems for the above incidents as well as bad math exploit in Anzen Finance on Blast, function parameter validation bug on Convergence, and others.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
News
Crime
U.S. Releases High-Profile Russian Hackers in Diplomatic Prisoner Exchange. The list of swapped US prisoners includes the who is who of Russian cybercrime and spy network including Alexander Vinnik (BTC-e), Roman Seleznev (Track2), Vladislav Klyushin (M-13), and others.
10 arrested, more than 100 charges laid in Toronto SIM swap fraud investigation.
Hong Kong Police Arrest Quartet Accused of Using Counterfeit Banknotes to Swindle Crypto Traders.
Four Arrested in Bitcoin Kidnap-Murder Case: Ukraine Police.
5 Russians arrested in crypto abduction case. Belarusian couple in Phuket, Thailand was forced to transfer $900,000 in cryptocurrency.
SEC charges BitClout founder Nader Al-Naji with fraud; says proceeds paid for L.A. mansion, gifts.
CFTC subpoenas former company of Ben "BitBoy" Armstrong over crypto promotion.
Man Pleads Guilty to Theft After Crypto.com Refunded Him $6 Million Instead of $65.
Cryptonator founder indicted after platform found handling $235 million in illicit funds.
Phishing
FBI Warns of Scammers Impersonating Cryptocurrency Exchanges.
Сrypto trap for the greedy, or how to steal from a thief by Kaspersky.
Party Royale / Party World Web3 Scam & Malware Analysis by alp1n3.eth.
Backing Up a Scam: Making Sure Malicious Websites & Binaries can still be Studied by alp1n3.eth.
Another victim of address poisoning lost $25K USDC. Almost $500K were lost to this attack in July according to Cyvers.
$117K worth of AEVO tokens stolen in an approval phishing exploit.
ZachXBT investigates suspect in Sydney Sweeney’s hack. Gurvinder Bhangu (Gurv) has previously served time in UK for hijacking Instagram accounts.
Security Guide for Securing X Accounts by SlowMist.
Inferno drainer is moving funds to Litecoin.
Ferrari exec foils deepfake attempt by asking the scammer a question only CEO Benedetto Vigna could answer. Live voice impersonation foiled by slight errors in intonations.
Scams
Wisconsin unveils tracker to fight crypto fraud and investment scams.
ZKX investors, market makers say they were blindsided by sudden shutdown.
Malware
StackExchange Abused to Spread Malicious Python Package That Drains Victims’ Crypto Wallets by Checkmarx.
Media
Web3 Security Podcast: Wallet protection and $1.7B loss due to hacks with Michael Pearl from Cyvers.
Research
Risk Analysis of Origin Forgery in the TonConnect SDK by SlowMist.
How to conduct a comprehensive security audit for projects built on TON by Beosin.
Vulnerability Detection in Ethereum Smart Contracts via Machine Learning: A Qualitative Analysis.
Security Analysis of Smart Contract Migration from Ethereum to Arbitrum.
Breaking the Balance of Power: Commitment Attacks on Ethereum's Reward Mechanism.
Impact of Conflicting Transactions in Blockchain: Detecting and Mitigating Potential Attacks.
Forge Testing Leveling by Dr Dimaz Wijaya.
How I found a critical bug thanks to my low level understanding of abi encoding by 0xKaden.
Tools
I hacked a MEV bot and you can do it too! ...and a new powerful EVM tool reveal by 0xSt1ng3R. EVM Monster - advanced transaction disassembler and debugger.
Tech stack and daily tools I use on a day-to-day basis in our MEV operation by 0xSt1ng3R.
Radar - a static analysis engine for Solana and other rust-based smart contracts by Audit Wizard.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.