BlockThreat - Week 33, 2023

Exactly | RocketSwap | Tornado | Thales | Harbor

Aug 23, 2023

∙ Paid

Greetings!

Details of the key extraction vulnerability were published in the whitepaper listed in the Research section. So far the vulnerability disclosure triggered a THORChain trading halt as well emergency patches in Coinbase WaaS, Binance and ZenGo. One of the affected wallet providers, BitGo, appears to have let the lawyers handle the response as opposed to their devs. Vulnerabilities happen and this is not the right way to respond to security researchers. Given the criticality of the vulnerability and availability of PoC exploits we may see active exploitation of any unpatched wallet providers in the future by malicious and/or compromised insiders.

Out of $8.2m stolen from DeFi protocols this week, Exactly Protocol suffered the most losses with an interesting exploit involving specially crafted function parameters to bypass permit checks. The $870k RocketSwap hack was particularly unfortunate where attackers stole private keys from deployed host. As I have noted in the recent discussion of the Top 10 DeFi Attack Vectors, private key theft is an operational security issue often neglected by projects by focusing on application security.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

Scams

Faint Traces: Unmasking a Million-Dollar Scammer by CertiK.
The Human Cost of Cryptomania explores Cambodia slave labor complex.
Scammers Used ChatGPT to Unleash a Crypto Botnet on X.
Understanding the Risk of Cryptocurrency Gaming Scheme.

Malware

Research

Practical Key-Extraction Attacks in Leading MPC Wallets whitepaper and the corresponding BlackHat talk by Nikolaos Makriyannis and Oren Yomtov.
TSS Vulnerability Thread by Hein Alberts. A more accessible explanation of the above vulnerability and how it affected THORChain.
Month long DeFi security alpha thread by engn33r.
A summary from the perspective of Sigma Prime on the security GigaSpace: The Future of Web3 Security Reviews.
Advanced Wizard Guide to Dune SQL and Ethereum Data Analytics by Andrew Hong.
Common Cross-Chain Bridge Vulnerabilities by Immunefi.
Exploring Latent Risks of Decentralized Options Exchanges: Part 1 by ChainLight.
Uniswap v4 - threat modeling for secure integration by Damian Rusinek (Composable Security).
Use Phalcon Fork to Learn Uniswap V2 by BlockSec Team.
Aave v3 bug bounty part 1: Security concerns and improvements about the `executeFlashLoan` function by StErMi.
A Novel Defense Against ERC4626 Inflation Attacks by OpenZeppelin.
Diamond storage walkthrough by banteg.
Wallet Process quality statement r2 by DeFi Safety.
Noir 101 for Solidity Devs by crisgarner.eth.
Structs in Solidity: Best Practices for Gas Efficiency by 0xLazard.
Stages of money laundering by Match Systems.
Haggling With Hackers: Surprising Lessons From 50 Negotiations With Ransomware Gangs.
Cryptanalysis of the DAO exploit by Crypto Deep Tech.

Tools

The Auditor Toolbox - Docker system and Web3 tooling aggregator for Security Researchers.
Audit Wizard - The all-in-one web3 security tool.
WhatsABI - Guess an ABI from an Ethereum contract address, even if it's unverified. The new 0.7.0 release adds proxy handling.
EVM Storage now shows visual storage slots.
Masamune - a search utility tool that allows you to search for smart contract security vulnerabilities, from a curated list of sources.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content

Keep reading with a 7-day free trial

Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.