BlockThreat - Week 4, 2023
Kevin Rose | NFT God | Azuki | Robinhood | Harmony | Wormhole
This week continues the trend of bad actors moving stolen funds from months old compromises. Wormhole, Harmony, Blockchain Bandit attackers all have awoken.
Mango Labs decided to go forward with a civil lawsuit against Avi Eisenberg which goes against their promise not to sue in exchange for returning funds. This could set an interesting precedent for future “white-hat agreements” where attackers may still be liable if they become within the reach of the law.
Not too many DeFi exploits this week with <$100K in total losses. That’s two weeks in a row. I am honestly afraid of calling it a trend since a similar lull in June of 2022 was preceded by a $100M+ compromise.
Scammers on the other hand have been really busy attacking crypto celebrities and taking over exchange Twitter accounts. Phishing attacks targeting individuals clearly need to be addressed by improving wallet security since victims were seasoned crypto veterans. It feels like a consumer-focused “web3 firewall/antivirus/etc” industry is both necessary and long overdue so that even our grandparents can safely approve NFT transactions. In the meantime, check out phishing incidents mega-thread by the one and only Tay in the scams section below for all the ways folks get rekt.
On the more positive note, I have a fantastic compilation of research papers and tools for you this week. From research into bridge compromises and the dark forest to formal verification and MEVs, it should keep you plenty busy for the next week. I also included a talk I gave on the craft of blockchain threat intelligence at yAcademy which includes a list of Top 10 DeFi attack vectors to help you lock things down.
Let’s dive into the news, but first a note from our sponsors at Chainalysis with some very positive news on ransomware profits from the upcoming crypto crime report!
Ransomware revenue down as victims refuse to pay 🙅
Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before. But it's not because ransomware attacks have gone down. It's because victims are increasingly refusing to pay. Get the latest on ransomware in 2022 now >
Harmony Hackers Cover Tracks by Bridging Portion of $100M Loot to Avalanche, Ethereum and Tron. The group added Railgun, a privacy system, to their arsenal to obfuscate stolen funds.
FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft. The press release confirms the Lazarus link based on on-chain analysis from more than 6 months ago.
Phishing and Scammer Incidents Mega-Thread by Taylor Monahan.
Robinhood’s Twitter Account Compromised. Used to promote a fake token on BNB Chain. Only $8.2K was stolen.
Monkey Drainer scammers uncovered by CertiK.
On January 26, 2023 Blue Clues Inu’s Uniswap pool was drained to a faulty token burn logic. About $11K were lost.
On January 26, 2023 Tom Inu lost $35K in a price oracle manipulation attack.
On January 27, 2023 phyProxy lost $1.2K due to a bug in function parameter validation.
Submitting malicious transactions into a crypto wallet on behalf of any dApp by Pavel Shabarkin (Quantstamp).
TA444: The APT Startup Aimed at Acquisition (of Your Funds) by Proofpoint.
Block IV Guest Speaker: Peter Kacherginsky - Blockchain Threat Intel.
Bridge Bugs Overview by MixButes.
Setting Bear Traps in the Dark Forest by Paul Brower.
Your First Day As A Bug Bounty Hunter On Immunefi by Immunefi.
Threat Modeling for Smart Contracts: Best Step-by-Step Guide by Paweł Kuryłowicz.
Formally Verifying Finality in Gasper: The Core of the Beacon Chain by Runtime Verification.
Solana Formal Verification: A Case Study by OtterSec.
Breaking the Tree: Violating Invariants in Semaphore by Veridise.
Why TWAP Oracles Are Key to DeFi Security by Rob Behnke (Halborn).
Securing Web3 Through Proactive Threat Prevention by BlockSec.
Signature malleability attack thread by Owen (Web3Sec).
Gas griefing attack abusing the 63/64 rule by Owen (Web3Sec).
MEV: Maximal Extractable Value - How Flashboys Became Flashbots by Christine Kim.
Token approve front-running attack thread by bytes032.
Security Researcher Dashboard by Saloon.
Review of Blockchain Security in 2022 by FairyProof.
OpenChain - 4byte signature database by samczsun.
BitSearch - Bitcoin Search Engine.
How to use MetaSleuth to analyze a phishing attack by BlockSec.
Lazarus Harmony Horizon Funds