Greetings!

This week Avalanche patched a couple of critical vulnerabilities that could have been used to steal assets or shut down the whole network. Multiple DeFi projects were also exploited with well known bugs as well as more sophisticated reward vulnerability bugs for a total of $3.3M. Following up on Tornado Cash sanctions multiple companies decided to fight back OFAC’s overreach with well written open letters and law suits. Let’s dive into the news!

News

• $30 Million Seized: How the Cryptocurrency Community Is Making It Difficult for North Korean Hackers To Profit by Chainalysis.

Tornado Cash Updates

• Coinbase Backs Tornado Cash Lawsuit Against U.S. Treasury.

• Defending Privacy in Crypto by Coinbase.

• Base Layer Neutrality by Paradigm.

Scams

• Immunefi’s Guide to Crypto Phishing Attacks (and the Hackers Who Plot Them).

• A number of new phishing campaigns advertising as Ethereum Merge sites, blockchain games, and software betatesters.

• Compromised The Sandbox Instragram used to direct users to a phishing site.

Hacks

• On August 22, 2022 Shiba Inu leaked AWS credentials in its public repo.

• On September 5, 2022 Zoom Protocol lost $61K as a result of a price oracle manipulation vulnerability.

• On September 7, 2022 Nereus Finance lost $371K in a price oracle manipulation attack.

• On September 7, 2022 Gera Token reported its private keys were compromised which resulted in $1.48M losses.

• On September 8, 2022 New Free DAO reward manipulation exploit resulted in $1.25M in losses.

• On September 8, 2022 Ragnarok token lost $42K due to insufficient access controls on the transferOwners function.

• On September 8, 2022 Primitive Finance was exploited with a math approximation bug to steal $34K.

• On September 9, 2022 Dark Pool on BSC lost $103K due to a bug in reward calculation.

Vulnerabilities

• Avalanche patched a critical DoS vulnerability in its node software thanks yo a responsible disclosure by Péter Szilágyi.

• Avalanche deprecated Native Asset Calls after Statemind, Abracadabra and Sushi teams reported a function access control vulnerability.

• Foundry patched a remote code execution vulnerability in forge thanks to a responsible disclosure by elyx0.eth. Patch now!

• Report on a memory overwrite vulnerability in OpenSea’s Wyvern Protocol by the BlockSec team.

Media

• Starknet/Cairo Contract Reverse Engineering, Disassembly & Analysis with Thoth

Research

• Celer Bridge incident analysis by Coinbase Threat Intelligence offers an in depth analysis of the BGP hijacking attack and phishing contracts.

• Blue Buttons of Death by Cia Officer and ortomichDev explore approval and permit token stealing methods including PoC code.

• Move: An Auditor's Introduction by OtterSec explores Diem’s Move type system and formal verification features.

• SoK: Decentralized Finance (DeFi) Incidents.

• Thread on DeFi security flywheel by emiliano.eth.

• No More Attacks on Proof-of-Stake Ethereum?

• Hacking my Helium crypto miner by Wesley Neelen.

Tools

• Thoth, the Cairo/Starknet bytecode analyzer, disassembler and decompiler.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content