BlockThreat - Week 33, 2022
Celer | General Bytes | NearX | Sha Zhu Pan
This week featured several curious hacks including a compromise of a crypto ATM network and a BGP hijacking of Celer Bridge. The latter was even more interesting from just how little the attackers were able to steal ($235K) from the protocol transacting $12M per day on average.
Get cosy this weekend, because it’s a great time to learn new things. Multiple analytics companies published their mid-year blocksec reports with the latest trends on crypto crime and DeFi compromises. There are also four different blocksec conferences coming up in the next few days. To think that only a few years ago the topic was may be a single track at other conferences and now we have multiple blocksec events happening in a single week! I will be attending the first two in the list below, so stop by and say hi :)
August 26, 2022 - DeFi Security 101 - Stanford, CA.
August 27-28, 2022 - DeFi Security Summit - Stanford, CA.
August 29-31, 2022 - SBC ‘22 - Stanfard, CA.
August 31-September 1, 2022 - Blockchain Security Summit 2022.
The Ballad of Razzlekhan and Dutch, Bitcoin's Bonnie and Clyde.
The Sleuths Who Protect Crypto From Hackers Are Raking in Money.
Mid-year Crypto Crime Update by Chainalysis.
2022 Mid-Year Blockchain Security and AML Analysis Report by SlowMist.
H1 2022 Web3 Security Report by Beosin.
Ethermine started filtering Tornado Cash transactions.
Security PSA: Sha Zhu Pan (Pig Butchering) Investment Scams.
A case study of permit function abuse to steal users’ funds. The technique is already appears in turn key drainer tools available on the dark market.
On August 8, 2022 Mailchimp was social engineered again which resulted in the PII loss for 214 cryptocurrency releated companies using the service.
On August 14, 2022 Energy Fi lost $584 due to a completely missing transaction validation.
On August 15, 2022 MMFcrypto Front-end experienced a DDoS attack.
On August 16, 2022 Stader NearX lost $830K due to a reentrancy bug.
On August 17, 2022 Celer Bridge Front-end experienced a BGP hijacking attack pointing its users to malicious contracts and losing $235K across multiple chains.
On August 18, 2022 General Bytes’ ATM management console (CAS) was compromised allowing attacker to steal funds deposited by ATM customers.
On August 22, 2022 Rainbow Bridge experience another attempted fake block injection which was caught by automated watchdogs.
Sherlock patched a bug in its yield strategy integration thanks to a responsible disclosure by GothicShanon89238.
SZNS BountyBoard fixed a reward and NFT stealing vulnerability thanks to a responsible disclosure by patrickd.
Building towards a Secure Cross-Chain Future featuring Mudit Gupta, deBridge and Halborn folks.
Under-constrained computation, a new kind of bug by Joran Honig.
Using mutants to improve Slither by Alex Groce.
Commonly used tools by web3 exploit researchers by Simon Cousaert.
Introduction of Cross-chain Technology in Bridges by Beosin.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.