BlockThreat - Week 36, 2023
Lazarus | Stake | GMBL | Vitalik | FloorsDAO | Connext
We are hearing more frequent news of Lazarus group exploits. Atomic Wallet, AlphaPo, CoinsPaid and now Stake platform compromised to feed the rogue nation state’s appetite for crypto. The amounts stolen per hack are smaller than they were in the past, but at the current rate they will likely beat past year’s $300m record.
Another persistent threat is the never ending stream of Twitter/X account compromises. This week alone Ordinals, Gitcoin, and even Vitalik’s accounts hacked. The latter resulted in the theft of almost $700k worth of assets mostly from one user.
If that wasn’t enough; this week also features a barrage of exploits in key dependencies on which we rely for day to day crypto operations: 0day in iPhones, XSS vulnerabilities in Proton, Skiff and other privacy email providers, wallets leaked in the LastPass compromise are finally being cracked and emptied.
On the DeFi side, another $1m was stolen from six projects. The Connext token launch API DoS attack was particularly interesting where an attacker made sure their wallet would be able to front-run claims from a few hundred compromised wallets.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
The common trend this week is all of the web2 dependencies that we have so carelessly chosen as a foundation for our decentralized projects are now coming back to haunt us. I hope this motivates you to look down the stack and push toward more secure, decentralized alternatives.
Let’s dive into the news!
Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach by Brian Krebs reports on theft of at $35m+ from 150 individuals since December 2022.
NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild by The Citizen Lab. The exploit uses Passkit images delivered in iMessenger messages.
Active North Korean campaign targeting security researchers by Google TAG.
Code Vulnerabilities Put Proton Mails at Risk by Sonar. A similar bug affects Skiff, Tutanoa, other encrypted mail solutions which could allow theft of emails and impersonation attacks.
Vitalik Buterin’s X account hacked, over $691K drained from victims’ wallets. Vitalik later revealed that SIM-swapping of his T-Mobile number was the root cause of the exploit.
Ordinals Wallet X account hacked using SIM-swapping to redirect users to pinkdrainer.
Reports of a user losing $24.23m in rETH with an increaseAllowance phishing attack associated with the coindroplet campaign.
Phishing via Google Looker Studio by Check Point reports on a new attack vector to steal crypto.
Cybercriminals target graphic designers with GPU miners by Cisco Talos.
OxHacked x OtterSec CTF - September 30, 2023.
Blockchain Privacy and Regulatory Compliance: Towards a Practical Equilibrium by Vitalik Buterin, Jacob Illum (Chainalysis), Ameen Soleimani (Privacy Pools) and others.
Cat and Mouse by Rekt.
Bridge Assessment Report commissioned by Uniswap.
0Kage Diaries Chapter 1 — Enzyme Finance by OKage.
Huckleberry: IBC Event Hallucinations by Felix Wilhelm describes a vulnerability in Cosmos ibc-go reference implementation.
EVM: Degen Bit Masking by VNMRTZ.
How Vyper Compiles Into Bytecode by Pascal Marco Caversaccio (pcaversaccio).
A Deep Dive into Rust Smart Contracts with CodeLLDB by Resonance.
Upgradeable contract audit checklist by Pashov.
MEV-Boost+/++: Liveness-first Relay Design by Eigen Layer.
Aave Unleashed by calnix.
Eternal Privacy Playgrounds by tonk.
AMM MEV backrunning by OpenSense.
Mempool Dumpster - Dump mempool transactions from EL nodes, and archive them in Parquet and CSV format.
Immunefi Bounty Additions and Removal Telegram Bot by Pawel Wylecial.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.