BlockThreat - Week 35, 2024
AAVE | North Korea | Telegram |
Greetings!
Finally a slow week with only $60K in losses and just 2 incidents. AAVE donation contract exploit was interesting in the way attackers tricked the swap function for unlimited allowance. Similarly, an unknown MEV contract was also exploited due to insufficient calldata validation in its swap call. Coincidence? Most likely just reaffirming my finding earlier this year that DeFi projects have a hard time validating malicious function parameters.
What is more concerning is the never ending stream of Discord, Telegram, and X account compromises. Check out the following Twitter, Discord, Telegram guides to lock your project down. Just an hour of your time will save millions to your users and give you a warm fuzzy feeling that you just did the right thing.
Since it is a slow week, I hope you get some much needed rest and enjoy excellent reports on threat actor activity, contests, phishing tactics, research and tools to build up your defenses below.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
In other news, tradfi security researchoors discovered a money printing bug in Chase ATMs aka “check fraud”. Oh and be sure to check out an amazing techno fiction story Tales from the Chain - Decentralized Deceit by the good folks at Rekt. Let’s dive into the news!
Events
BlazCTF 2024 on September 20, 2024 by FuzzLand.
DeFi Security Summit 2024 on November 7-9 in Bangkok, Thailand.
News
North Korean threat actor Citrine Sleet exploiting Chromium zero-day to target cryptocurrency sector. The bad actor is also known as Hidden Cobra, UNC4736, AppleJeus, Labyrinth Chollima all affiliated with the infamous Lazarus group and part of North Korea’s Bureau 121. Victims are directed to a malicious domain serving exploit code through social engineering. According to Microsoft, following remote code execution in the browser, the exploit uses CVE-2024-38106 to elevate privileges and install the FudModule rootkit. Patch your Chrome and Windows hosts now and please don’t visit unknown domains from the same machine with smart contract keys or admin passwords!
40 Nations Join US and South Korea in Combating North Korean Crypto Crimes.
Telegram Founder Pavel Durov Charged Over Alleged Criminal Activity on the App.
Maker will be able to remotely freeze its new USDS stablecoin.
The real impact of an onchain hack: A comprehensive study of hack damage from 2021 to 2023 by Mitchell Amador (Immunefi).
Crypto losses to hacks exceed $313M in August. Notably, the majority of losses came from phishing.
Crime
2024 Crypto Crime Mid-year Update Part 2: China-based CSAM and Cybercrime Networks On The Rise, Pig Butchering Scams Remain Lucrative by Chainalysis.
Rate of Illicit Activity at Crypto ATMs is Double That of Overall Crypto Industry by TRM.
Cambodian scam giant handled $49 billion in crypto transactions since 2021.
2 Lexington County gold buyers to plead guilty in national romance, cryptocurrency scam.
SEC Charges Abra with Unregistered Offers and Sales of Crypto Asset Securities.
SEC Charges Brothers Jonathan and Tanner Adam with $60 Million Ponzi Scheme.
South Korean crypto firm Haru Invest CEO stabbed during fraud trial.
Crypto Scammer Caught Despite Changing Face and Wearing Wigs.
UK’s first crypto ATM charge claims phone shop owner laundered $400K.
Missouri Man Arrested for Extorting Former Employer With Bitcoin Ransom.
Thai authorities raid illegal bitcoin mine after power outages.
Policy
OpenSea Gets 'Wells Notice' From SEC, Which Calls NFTs Sold on Platform 'Securities'.
Russia Initiates Crypto Trials For Cross-Border Payments Amid Sanctions Crisis.
Nigeria Approves Two Crypto Exchanges, Warns Against Patronizing ‘Illegal Operators’.
RFK Jr. Threatened to Steal the Bitcoin Vote From Trump—Now They're United.
Phishing
How North Korea Leverages Software Developers for Cyber Espionage and Crypto Theft by ZeroShadow.
North Korean hackers posing as devs exposed with ‘I Hate Kim Jong Un’ test.
Web3 Security Guide: Avoiding Fake Mining Pool Scams by SlowMist.
Exposing Solana Scammers: Scams and Phishing by GoPlus.
Trader loses $1M in scam after Kylian Mbapp’s X account is hacked.
Scams
Bitcoin ATM scams are soaring — and older adults are increasingly the victims. $110M were stolen last year.
Mpeppe investors say project stole their coins ahead of casino plans.
Aussies Lose $122 Million to Crypto Scams, With Younger Victims Now Leading.
Washington State Probes Alleged Crypto Fraud Linked to Fake Nasdaq Exchange.
Crypto Scams Are Rapidly Evolving Beyond Pig Butchering: Report.
Malware
Media
Research
Circle's CCTP Noble Mint Bug by Ruslan Habalov (Asymmetric Research).
Intel SGX Fuse Key0 extracted by Mark Ermolov and Intel’s response.
Solc is kinda bad by d1ll0n. A collection of bizarre solc edge cases.
Aave-v3 test revealed a compiler bug in LLVM hidden since 2015.
Programming ZKPs: From Zero to Hero by zkintro.
Move Audit Resources by 0xriazaka.
Rounding Errors & Broken Invariants - Liquidity Pool Vulnerability Analysis by DegenShaker.
Flash Loan Attacks - Implications and Attack Avoidance by Zokyo.
Oracle Security Auditing Checklist: A Comprehensive Guide for Smart Contract Developers and Auditors by Olympix.
Pitfalls in Polkadot’s Substrate weight calculations? thread by KoolexC.
Uniswap v4 Core Audit by OpenZeppelin.
How to Implement Permit2 by Alex Babits (Cyfrin).
Security Considerations for Upgradeable Smart Contracts by QuillAudits.
UUPS: Universal Upgradeable Proxy Standard (ERC-1822) by RareSkills.
Modern DeFi Lending Protocols, how it's made: Morpho Blue by Sergey Boogerwooger, Pavel Morozov (MixBytes).
Build on Bitcoin: Critical Merged-Mining Bugs We Uncovered by Matías Marquez (Coinspect).
DeFi Security Landscape: 50 Key Players You Need to Know by BlockSec.
Web2 Meets Web3: Hacking Decentralized Applications by CertiK.
The Security Hustle: Protecting My Bitcoin From Hackers by Ivan Serrano.
Collaborative Learning Framework to Detect Attacks in Transactions and Smart Contracts.
Smart Contract Coordinated Privacy Preserving Crowd-Sensing Campaigns.
Showing the Receipts: Understanding the Modern Ransomware Ecosystem.
CrossInspector: A Static Analysis Approach for Cross-Contract Vulnerability Detection.
The Thin Line of Privacy by Rekt. Discusses the recent Pavel Durov arrest and privacy implications of Telegram.
Governing Blockchain Security: White Hat Hackers ‘Code of Conduct’ by Kelsie Nabben.
Tools
Forta Firewall announcement by Forta. Moving toward automated prevention.
auditoor.xyz by @0xrudrapratap. A smart bug report aggregator that will help you learn web3 security faster than ever.
Introducing the Shadow Registry by Jon Becker. A public registry of smart contract logs.
Solana Programs Verified Directory - A public dashboard for trusted, verified Solana programs.
EVMole update: Now extracts function state mutability with 99.99% accuracy!
Kontrol version v1.0. Formal verification tool built on KEVM and Foundry.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.