Hey folks,

This week featured two critical vulnerability disclosures in wallet software. A widely used Libbitcoin library used by many OG Bitcoin users was found to have a bad PRNG which was already used to steal at least $900k so far. An MPC wallet protocol vulnerability disclosed by FireBlocks is more difficult to exploit (requires admin access), but just as deadly where a rogue admin account may compromise all wallets.

Moving further down the stack, Intel and AMD CPUs were also found vulnerable to leaking secrets (including private keys and passwords) in cloud environments. And yes this affects Intel SGX environment as well. I would update your threat model regarding key storage on your shared nodes and reach out to your cloud provider to ensure they have applied CPU microcode updates.

Almost $5.5m were stolen from various DeFi projects this week with the usual arsenal of price oracle manipulation (Zunami), reward manipulation (Cypher), reentrancy (Earning Farm), and other attack vectors. The private key theft exploit against Steadefi warrants further study as it involved a sneaky spear phishing attack with a malware payload.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

In other news, the frivolous lawsuit against ZachXBT was dismissed but at what cost? Identity exposed, stress and distraction from catching bad guys while dealing with the legal system. One thing is for sure that the community is ready and able to rally behind security researchers when needed. May be it’s time for a legal defense fund to protect lesser known researchers and investigators?

Let’s dive into the news!

News

• SEAL 911 - emergency contact to be used for responsible disclosure and web3 incident support ran by a group of whitehats including samczsun.

• Hackers used fake job interview to trigger $37M CoinsPaid hack. SentinelOne has previously reported on Operation In(ter)ception to target prospective job application in crypto industry.

• North Korean hackers stole over $180 million in crypto during H1 2023: report by Timmy Shen (The Block).

• 0day vulnerabilities in Intel (Downfall) and AMD (Zenbleed) processors allows attackers to steal encryption keys, passwords, and other sensitive data in multi-user and cloud environments. The vulnerability affects Intel SGX environment.

• 0day vulnerability in a Libbitcoin used in a popular bx tool allowed generation of new wallets with weak entropy. The vulnerability, named Milksad, was already used to drain $900k+ from Bitcoin and Ethereum wallets.

• 0day vulnerability in 15+ MPC protocols and wallet providers (BitForge) using GG-18, GG-20, and Lindell17 protocols was disclosed by Fireblocks which could allow attackers with privileged access to drain user funds.

• Machi Big Brother (Jeff Huang) withdrew defamation suit against @zachxbt after causing an irreparable damage by exposing researcher’s identity and distracting from investigative work to deal with the lawsuit.

• Hundred Finance to shut down following a series of hacks worth $13m.

Crime

• Sam Bankman-Fried Sent to Jail After Judge Revokes Bail.

• Man charged for facilitating Netwalker ransomware that stole 5,000 bitcoin. The arrest come following take down of “bulletproof” hosting provider, Lolek, by Polish and US authorities.

• South Korea arrests Bitsonic CEO for allegedly stealing $7.5M of users’ money.

• Two arrested in Rs 1000-cr crypto-ponzi scam called STA Crypto Token.

• CipherTrace expert says Chainalysis data contributed to ‘wrongful arrest’ of alleged Bitcoin Fog founder.

Scams

• Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$.

• Increase in Companies Falsely Claiming an Ability to Recover Funds Lost in Cryptocurrency Investment Scams.

• Twitter Lists crypto scams led to $870k in losses in one year.

• Reports of scammers advertising fake jobs on crypto job boards to steal crypto.

• Inferno Drainer upgrade adds new capabilities to steal ETH, ERC20, NFT assets.

• Rugpull perpetrated (now former) Uniswap employee to steal 14 ETH.

• What Is a Crypto Rug Pull? – DeFi Exploits Explained by De.Fi Security.

• Victim of 90 ETH exploit set to claw funds back after hacker was blacklisted.

• Victim loses $35K in Bitcoin to fraudsters posing as Microsoft representatives.

• Understanding the Cryptocurrency Free Giveaway Scam Disseminated on Twitter Lists.

Malware

• Kubernetes Exposed: One Yaml away from Disaster by Aqua. The report discusses a crypto jacking campaign targeting exposed K8 clusters.

Media

• Scraping Bits - E11 - Yearn Finance's Warroom: Defending Live Web3 Blackhat Hacks - With Storm0x And DeGatchi.

• Positive Hack Days - 12 - Blockchain Track

  • Cryptocurrency investigation basics by Igor Bederov.

  • Unusual vulnerabilities in Ethereum smart contracts: review and elimination, 2022 by Sergey Prilutsky (MixBytes).

  • Oracle manipulation in Web3 by Anton Nikonov (MetaZK).

Contests

• MetaTrust Singapore Web3 CTF Security Challenge - September 8 - 10, 2023.

Research

• Can you pass the Rekt test? by Trail of Bits.

• Attack alerting procedure by BlockSec.

• Chainlink Oracle Security Considerations - Security Considerations for Integrating Chainlink Price Oracles by Dacian (Cyfrin).

• Auditor’s Advice Series by OfficerCia:

  • Auditor’s Advice: Math, Solidity & Gas Optimizations | Part 1/3.

  • Auditor’s Advice: Solidity Checklist & Reentrancy Attack | Part 2/3.

  • Auditor’s Advice: EVM Limitations & Assembly Auditing Tips | Part 3/3.

• The Potential Impact Of ERC-777 Tokens On DeFi Protocols by Immunefi.

• Squashing a Pesky Bug in UniswapX by shung (Kebabsec).

• Essential Auditing Knowledge | What is the Difficult-to-Guard “Read-Only Reentrancy Attack”? by Beosin.

• Exploring Tornado Cash In-Depth to Reveal Malleability Attacks in ZKP Projects by Beosin.

• DeFi Risk Modelling Awesome by engn33r.

• Web2 Bug Repellant Instructions by Caue Obici and Bruno Halltari (OtterSec).

• The Specter (and Spectra) of Miner Extractable Value.

• Exotic culinary: Hypernative systems caught a unique Sandwich Attack against Curve Finance by Vazi (Hypernative).

• Audit Anomalies Archive by zzzuhaibmohd.

• Theft of collateral tokens with fewer than 18 decimals by Cyfrin.

• Curve Finance Analysis and Post-mortem by ChainLight.

• The Vulnerable Nature of Decentralized Governance in DeFi.

• The Double-Edged Sword of abi.decode by 0xdeadbeef.

Tools

• Heimdall-rs 0.5.0 by Jon Becker. Now includes a feature to generate detailed bytecode analysis including compiler version detection, 4byte resolution, modifier detection, storage slots, events, errors, etc. Amazing!

• ABI Guesser Py by 0xSt1ng3R. A Pythonic version of abi-guesser inspired by the original implementation by samczsun.

• Piller by Hexens. A static analysis framework for Polynomial Identity Language (PIL) used in zkEVM for defining state machines.

• scure-base by Paul Millr. Audited and 0-dep implementation of bech32, base64, base58, base32 & base16.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content