Catching up to past weeks’ news, this week featured one of the most devastating bridge attacks with almost $600M stolen from the BSC Token Hub. The attack was sophisticated and well executed targeting vulnerable precompiled contracts embedded deep within BSC node software. Following the compromise the attacker quickly moved assets across six chains while swapping any blocklistable token. They obviously knew what they were doing. Binance had to shut down the entire chain just to stop offchain transfers while stablecoin issuers hunted down and froze stolen funds on other chains. After the dust settled, the attackers got away with $110M.

The TransitSwap compromise serves as another case study where a blocksec consulting outfit, SlowMist, not only doxxed the attacker forcing them to return stolen assets but also went all out to hack back one of the arbitrage bots to empty its wallet. Hacking back is a contested topic in traditional security, but in the wild west that is web3 where the law of the land is not yet established this may become a trend.

Speaking of the law, LE agencies across the world have been busy sentencing ransomware actors, arresting scammers, and fining celebrities involved in cryptocurrency schemes.

News

• Millions in Cryptocurrency Vanished as Agents Watched Helplessly by Bloomberg.

• Financial Stability Oversight Council Releases Report on Digital Asset Financial Stability Risks and Regulation by U.S. Treasury.

• Mastercard’s CipherTrace launched a new tool for banks to combat fraudulent transactions from crypto merchants.

• Europe Bans All Crypto Wallet Services to Russia in New Sanctions Package.

• North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon.

• Optus, Australia’s second largest telecommunications provider, reveals at least 2.1 million ID numbers exposed in massive data breach.

• Celsius promotes radical transparency, doxxes every user.

• The Web3 Security Quarterly Report - Q3 2022 Edition by CertiK.

• The state of cross-chain crime report by Elliptic.

Crime

• Canadian hacker associated with NetWalker ransomware group sentenced to 20 years for his role hacking and extorting hundreds of victims.

• South Korean authorities arrested and later released Terraform Labs executive.

• US-Brazil investigation leads to disruption of transnational cryptocurrency fraud ring responsible for duping thousands promising high returns.

• Crypto Sleuth ZachXBT’s Efforts Lead to Prosecution of Alleged Bored Ape NFT Scammers.

• Kim Kardashian pays $1.26 million after being charged with illegally promoting crypto scheme.

Scams

• FBI PSA: Cryptocurrency Investment Schemes.

• Water Labbu Abuses Malicious DApps to Steal Cryptocurrency.

• Social engineering and phishing attack resulted in the loss of 7 apes.

• NFT Artist Beeple Warns Discord Members of Wallet Drainer Exploit.

• Investigation of May 22 @beeple’s Twitter compromise by ZachXBT.

Hacks

• On October 1, 2022 TransitSwap and BabySwap lost $23M due to insufficient function parameter validation. In a surprising turn of events SlowMist managed to hack back some of the arbitraged funds from an MEV bot using a profanity address while doxing the original attacker who returned most of the stolen assets.

• On October 4, 2022 Sovryn lost $1.1M in a price manipulation exploit.

• On October 6, 2022 BSC Token Hub lost $586M due to an exploit bypassing cross-chain transfer proofs. Following the compromise, BSC shut down the network preventing attackers from transferring majority of stolen assets.

• On October 6, 2022 RES Token lost $290K as a result of a price oracle manipulation attack.

Other Incidents

• Starting on October 5, 2022 Zcash network has been under spam attack filling up its blocks and growing blockchain size.

• On October 9, 2022 Lightning Network froze for hours while testing large multi-sig Taproot transactions.

Vulnerabilities

• Curve patched a read-only reentrancy vulnerability in its price oracle function thanks to a responsible disclosure by ChainSecurity

Malware

• Fake Solana Phantom security updates push crypto-stealing malware.

Research

• Pwning web3 bridges workshop files.

• Fuzzing Solidity Smart Contracts with Echidna: Die-Hard Level Tips.

• The State of Crypto Security by Kofi Kufuor.

• DeFi Security Part 1, Part 2, and Part 3 by Halborn.

• The Story Behind the Alternative Genesis Block of Bitcoin.

• The Optimizer’s Guide to Solidity Part 1 and Part 2.

• The 0 to 1 Guide for MEV.

Tools

• Ethereum Transaction Viewer by samczsun supports decoding of transactions on Ethereum, Polygon, Optimism, BSC, and other EVM chains.

• ABI Decompiler - a simple tool to recover ABI of EVM smart contracts, including function names. The toolkit includes a signature bruteforcer based on wordlists to help reverse previously unknown 4bytes.

• Contract Diff - helps find difference in contract forks using simhashes.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content