Greetings!

Finally a slow week with only $60K in losses and just 2 incidents. AAVE donation contract exploit was interesting in the way attackers tricked the swap function for unlimited allowance. Similarly, an unknown MEV contract was also exploited due to insufficient calldata validation in its swap call. Coincidence? Most likely just reaffirming my finding earlier this year that DeFi projects have a hard time validating malicious function parameters.

What is more concerning is the never ending stream of Discord, Telegram, and X account compromises. Check out the following Twitter, Discord, Telegram guides to lock your project down. Just an hour of your time will save millions to your users and give you a warm fuzzy feeling that you just did the right thing.

Since it is a slow week, I hope you get some much needed rest and enjoy excellent reports on threat actor activity, contests, phishing tactics, research and tools to build up your defenses below.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

In other news, tradfi security researchoors discovered a money printing bug in Chase ATMs aka “check fraud”. Oh and be sure to check out an amazing techno fiction story Tales from the Chain - Decentralized Deceit by the good folks at Rekt. Let’s dive into the news!