BlockThreat - Week 40, 2022
BSC | TransitSwap | Sovryn | Zcash | Water Labbu
Catching up to past weeks’ news, this week featured one of the most devastating bridge attacks with almost $600M stolen from the BSC Token Hub. The attack was sophisticated and well executed targeting vulnerable precompiled contracts embedded deep within BSC node software. Following the compromise the attacker quickly moved assets across six chains while swapping any blocklistable token. They obviously knew what they were doing. Binance had to shut down the entire chain just to stop offchain transfers while stablecoin issuers hunted down and froze stolen funds on other chains. After the dust settled, the attackers got away with $110M.
The TransitSwap compromise serves as another case study where a blocksec consulting outfit, SlowMist, not only doxxed the attacker forcing them to return stolen assets but also went all out to hack back one of the arbitrage bots to empty its wallet. Hacking back is a contested topic in traditional security, but in the wild west that is web3 where the law of the land is not yet established this may become a trend.
Speaking of the law, LE agencies across the world have been busy sentencing ransomware actors, arresting scammers, and fining celebrities involved in cryptocurrency schemes.
Mastercard’s CipherTrace launched a new tool for banks to combat fraudulent transactions from crypto merchants.
Optus, Australia’s second largest telecommunications provider, reveals at least 2.1 million ID numbers exposed in massive data breach.
The state of cross-chain crime report by Elliptic.
Canadian hacker associated with NetWalker ransomware group sentenced to 20 years for his role hacking and extorting hundreds of victims.
Social engineering and phishing attack resulted in the loss of 7 apes.
On October 1, 2022 TransitSwap and BabySwap lost $23M due to insufficient function parameter validation. In a surprising turn of events SlowMist managed to hack back some of the arbitraged funds from an MEV bot using a profanity address while doxing the original attacker who returned most of the stolen assets.
On October 4, 2022 Sovryn lost $1.1M in a price manipulation exploit.
On October 6, 2022 BSC Token Hub lost $586M due to an exploit bypassing cross-chain transfer proofs. Following the compromise, BSC shut down the network preventing attackers from transferring majority of stolen assets.
On October 6, 2022 RES Token lost $290K as a result of a price oracle manipulation attack.
Starting on October 5, 2022 Zcash network has been under spam attack filling up its blocks and growing blockchain size.
On October 9, 2022 Lightning Network froze for hours while testing large multi-sig Taproot transactions.
Pwning web3 bridges workshop files.
The State of Crypto Security by Kofi Kufuor.
Ethereum Transaction Viewer by samczsun supports decoding of transactions on Ethereum, Polygon, Optimism, BSC, and other EVM chains.
ABI Decompiler - a simple tool to recover ABI of EVM smart contracts, including function names. The toolkit includes a signature bruteforcer based on wordlists to help reverse previously unknown 4bytes.
Contract Diff - helps find difference in contract forks using simhashes.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.