Greetings!
Reentrancy exploits are back. Two projects were compromised this week netting attackers $27M+ mostly from a very interesting PenPie compromise.
MakerDAO deployer keys on Optimism and Arbitrum networks are compromised thanks to the good ole’ Profanity vanity generator bug. Malicious contracts were already deployed on BSC, Base, and other EVM chains.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
News
'Why Are You Doing This to Me?': Detained Binance Exec Begs Prison Guard for Help in New Court Footage. Expect nothing less from Nigeria, not surprised by inaction from Binance, but a lack of involvement from US Government while their citizen, colleague, and just a good man is rotting in jail for 4 months is shameful. Bring Tigran Home now!
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel. Eucleak side-channel attack is also applicable to other devices that use Infineon such as latest Trezor V3. A successful attack requires about 5 minutes of physical access to the device, but also sophisticated equipment and skill.
Chainalysis is trying to wipe this video off the internet after the Monero community noticed it and used it to figure out most of their tricks such as running spy nodes. Mirror.
A Call for Urgent Security Reform Recent events surrounding the Cosmos Hub's security practices by gadikian.
Inside the Trump Crypto Project Linked to a $2M DeFi Hack and Former Pick-Up Artist.
Crime
Gunman forces Revelo fund manager to drain investors’ crypto.
Home invaders used machete, Toblerone to rob a man of his Bitcoin.
Offline USDT sale abandoned after buyer gets punched in face.
US DOJ Charges Hamas Leaders with October 7 Attacks, Details Hamas’ Use of Cryptocurrencies by TRM.
Ex-Engineer Charged in Missouri for Failed $750,000 Bitcoin Extortion Attempt.
Crypto ‘Mastermind’ Allegedly Behind $3,360,000 Scheme Arrested in South Korea.
Nigerian Scammer’s Crypto Wallet Seized by Kansas Attorney General.
Policy
Russia’s Cryptocurrency Pivot: Legislated Sanctions Evasion by Chainalysis.
Russia mined over $3 billion in Bitcoin last year, boosting tax revenue amid sanctions.
South Korean Regulator Unveils Plan to Inspect Crypto Exchanges for Illegal Practices.
Crypto-friendly United Texas Bank faces cease and desist order from Federal Reserve.
SEC Charges Crypto-Focused Advisory Firm Galois Capital for Custody Failures.
Uniswap Labs Settles CFTC Charges Over 'Illegal' Margin Products.
Phishing
Stop Spoofing My Wallet! Demystifying Simulation Spoofing Attacks by Offside Labs.
Scammers Exploit Solana Token Feature to Burn Users' Crypto.
Someone lost $805,032 worth of Lido ETH by signing a "permit" phishing signature by realScamSniffer.
Another victim lost $397,831 due to signing a "setOwner" phishing signature that changed its DSProxy's ownership by realScamSniffer.
Another victim lost $104,668 by signing a "permit" phishing signature by realScamSniffer.
Angel Drainer just released AngelX, the most sophisticated wallet drainer to ever hit web3 by Blockaid.
Lara and Tiffany Trump’s X Accounts Hacked To Promote Cryptocurrency Scam.
Scams
Thousands of Trump followers tricked by scammers targeting his new crypto project.
Combating Crypto Scams in South Asian Circles: Part 2 by zeroShadow.
Woman describes being kidnapped, forced to work as cryptocurrency scammer abroad.
Malware
Contests
EVM CTF Challenges by MiloTruck.
Rareskills Inspired CTF Challenges by BlockChomper.
Media
The Battle For Privacy: Free Samourai w/ Zack Shapiro, Econoalchemist, Diverter NoKYC & Tor Ekeland.
Restaking Security: Challenges and Best Practices by DSS Monthly Webinar.
OpSec Fundamentals with thelafffinman by Cantina.
zkEVM Audit Education Session by Scroll.
Research
DeFied Expectations - Examining Web3 Heists by Mandiant.
EUCLEAK Impact on Hardware Wallet Security by Coinspect Security.
The Persistent Threat: Why Reentrancy Attacks Remain a Challenge in Web3 by Eyal Fine (spherex).
Delving into the Security Implications of Fee Structure in a CDP protocol by Bill.
Formal Verification for Dummies, Episode 1: "Specifications" by Raoul Saffron (Runtime Verification).
Pump and Dumps in the Bitcoin Era: Real Time Detection of Cryptocurrency Market Manipulations.
DogeFuzz: A Simple Yet Efficient Grey-box Fuzzer for Ethereum Smart Contracts.
FORAY: Towards Effective Attack Synthesis against Deep Logical Vulnerabilities in DeFi Protocols.
Notes on Extractable Witness Encryption for KZG Commitments and Efficient Laconic OT.
On the Compliance of Self-Sovereign Identity with GDPR Principles: A Critical Review.
Deanonymizing Ethereum Validators: The P2P Network Has a Privacy Issue.
Rolling in the Shadows: Analyzing the Extraction of MEV Across Layer-2 Rollups.
Awesome Account Abstraction by 4337Mafia.
Exploring Sui: The Technology Behind High Performance and Contract Security by SlowMist.
Fuel smart contract's storage mechanics by jecikpo.
UTXO Research Report: State Of The Bridges by Utxo (Bitcoin Magazine).
Choose Privacy by Shinobi (Bitcoin Magazine).
Advanced Cyberchef Techniques - Defeating Nanocore Obfuscation With Math and Flow Control by Embee Research.
Exploiting stripe-samples with a Github pwn requests by Adnan Khan.
Tools
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.