Greeting!

This week US DoJ charged two Tornado Cash founders with conspiracy to launder $1b in crypto assets stolen by North Korean Lazarus group. One of the developers was briefly jailed but released on bail. This will not impede North Korea hacking, but will prevent 95%+ of legitimate users from protecting their on-chain privacy.

BlockFi, FTX, and Genesis customer records were leaked in the Kroll, bankruptcy claims processor, compromise. Get ready for a mass wave of targeted phishing campaigns victimizing people who already got their life savings disappear.

More than $2.1m were stolen from the Balancer protocol which earlier alerted its liquidity providers about a critical vulnerability and urged users to pull their assets. Public disclosure of a vulnerability is a delicate balance between tipping off attackers and saving customer assets. Should they have hacked themselves after the first exploit transactions showed up on-chain?

Another $2.5m+ were stolen from crypto users with phishing attacks seemingly coming from everywhere: Google Ads, fake job posts, Telegram impersonators, etc. We still have a long road ahead protecting users and rebuilding trust in the ecosystem.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

On the bright side, we have a number of CTF and blockchain security conferences coming up in the next few months! It’s a joy to watch our community growing and sharin their knowledge openly. This week also features a few fantastic research papers like research into blockchain finality form Trail of Bits, massive DeFi root cause analysis database from SunSec, and many others.

Let’s dive into the news!

Events

• Paradigm CTF - October 28, 2023.

• MetaTrust Web3 Security CTF - September 13, 2023.

• TrustX organized by Secureum - November 13-14, 2023 in Instanbul, Turkey.

• Web3 Security Conference organized by De.Fi - Oct 4, 2023 in Milan, Italy.

News

• Breaking down the Top 50 DeFi hacks 2016-2022 by Halborn.

• Tornado Cash Devs Charged With Helping Hackers Launder $1B, Including Infamous North Korean Attacks.

• Blockchain Capital’s Bart Stephens Lost $6.3 Million In SIM-Swap Crypto Hack.

• Terra warns users after hackers turn domain into a ‘phishing site’.

Scams

• FTX Customers Hit by 'Withdrawal' Phishing Mails After SIM Swap Attack.

• X users manipulated by ChatGPT bots to visit malicious crypto sites.

• Reports of Google Adwords used to redirect users to crypto phishing sites which already cost one user $900k after visiting a malicious Celer Bridge Dapp.

• Reports of fake crypto job posting used to spread wallet stealer malware.

• Magnate Finance disappears with over $6 million in apparent 'rug pull'.

• A sophisticated phishing scam stole $1.5m from SOL Big Brain by impersonating a Telegram account of a portfolio management company.

Malware

• DreamBus Botnet Resurfaces, Targets RocketMQ vulnerability by Juniper Networks.

• Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT by Cisco Talos.

Contests

• Capture the Ether Solutions using Foundry by 0xraion.

• Project SEKAI CTF 2023 Re-Remix Writeup by minaminao.

Media

• Blockchain Security Across The Development Lifecycle spaces by OpenZeppelin.

• Preventative Security Tactics spaces by De.Fi.

• Rust x Ethereum Day hosted by Paradigm includes a few security related talks.

Research

• The Engineer’s Guide to Blockchain Finality by Benjamin Samuels (Trail of Bits).

• DeFi Hacks Analysis - Root Cause Analysis Part 2 by SunSec.

• Typical vulnerabilities in AMM protocols by kasimonagasaki (Decurity).

• A UI Flaw in Top Crypto Wallets We Need to Address by Coinspect.

• Helping Curve Save $6m of User Funds by Addison Spiegel.

• Ethereum Apocrypha by Shane Auerbach (smlXL).

• Cross-Chain Security with LayerZero Labs by Ryan Zarick.

• Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning.

• Double and Nothing: Understanding and Detecting Cryptocurrency Giveaway Scams.

• A Large Scale Study of the Ethereum Arbitrage Ecosystem.

• Aave v3 bug bounty part 1 and part 2 by StErMi.

• Top 5 duplicated issues of competitive audits thread by Patrick Collins.

• Applied Elliptic Curve Cryptography by patrickd (Ventral).

• Bonding curve explanation thread by 0xfave.

• Solidity signature verification checklist by TheSchnilch.

• How to not get rekt from MEV bots thread by Patrick Collins.

• A deep dive into the main components of ERC-4337: Account Abstraction Using Alt Mempool— Part 1 by Antonio Viggiano (Oak Security).

• Some rough impressions of Worldcoin by Matthew Green.

Tools

• Rivet - a developer focused web3 wallet by Paradigm.

• Cryogen - blockchain dataset management tool by banteg.

• Version Detector - a library for runtime EVM version detection by Philogy.

• Top 10 AI Tools for Smart Contract Auditors by Unsnarl.

• Huff breakpoints for Foundry debugger by devtooligan.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content