BlockThreat - Week 41, 2024
SEC | FBI | Morpho | P719 | HYDT
Greetings!
This was a relatively quiet week. A series of attacks on smaller projects on BSC use variants of the price oracle manipulation exploit. P719 was hacked twice for the total loss of $412K, AIZPT lost $20K, HYDT $58K. Those are not massive hacks, but they do add up. The Morpho team really dropped the ball when configuring the PAXG/USDC market by forgetting to account for USDC’s “non-standard” decimal count. A simple misconfiguration cost them $230K.
Something is happening at the SEC. It started with a wave of high ranking officers leaving including SEC’s enforcement director. The number of counter-suits launched by crypto companies (3 just this week) is also on the increase. Insiders like SEC commissioners Mark Uyeda and Hester Peirce are publicly speaking out against agency’s crypto policies. Rumors suggest a pro-crypto replacement for Gensler at the SEC. With just a few weeks left before US presidential election, there is a lot at stake for the agency and the crypto industry.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
News
Binance executive denied bail in Nigeria money laundering case.
The new Global Signal Exchange will help fight scams and fraud.
Crime
FBI Creates Fake Cryptocurrency to Expose Widespread Crypto Market Manipulation. The campaign resulted in DoJ charges against eighteen individuals as well SEC charges targeting three market-makers and nine individuals all for alleged fraud and market manipulation. You can find FBI wallets and smart contracts used in the campaign here and here.
Crypto-Based Money Laundering Services on Telegram by Cloudburst.
Brazilian Authorities Launch Operation Targeting Entities Facilitating Crypto Money Laundering .
Texas Drug Ring Sentenced for Laundering $50K Monthly in Cryptocurrency.
TD Bank Makes History as First US Bank to Plead Guilty to Money Laundering Conspiracy. Anyone going to jail for 25 years? Nope.
CT couple's kidnapping may be linked to son's alleged part in $230M crypto theft, police say.
Crypto CEO on the run after allegedly stealing 1,800 BTC and 28,000 ETH. USI-Tech was a Ponzi crypto scam from 2019.
Uniswap’s UNI Token Jumps 14% as Announcement About New L2 Leaks Ahead of Time.
ZachXBT claims there is an uptick in thieves targetting crypto traders offline.
Bitcoin bribe worth $73 mln lands Russian investigator in jail.
Irish Criminal Assets Bureau Unable to Access Drug Dealer's $378 Million in Seized Bitcoin .
Ohio’s New Crypto Fraud Unit Claims First Victory, Recovers $130K From Scam .
Policy
Regulators Are Limiting Banks Serving Crypto Clients. Does That Violate the Law?
New York Regulator Hiring Blockchain Analyst to Tackle Crypto Crimes.
SEC commissioner confesses its crypto approach has fueled 'disaster for the whole industry'.
Crypto.com Has Filed Suit Against the SEC to Protect the Future of Crypto in the U.S..
Bitnomial Exchange Sues SEC, Challenging Agency's Authority Over XRP Futures.
SEC charges Cumberland DRW with acting as 'unregistered dealer' in crypto transactions.
Phishing
Surviving Digital Danger by Rekt.
Wallet drainer exits TON due to lack of ‘whales’, shifts focus to Bitcoin targets .
$35 million worth of tokens drained from a crypto whale in phishing attack. A whale unknowingly signed a permit signature which resulted in the loss of 15,079 fwDETH on Blast chain.
a PEPE holder lost $1.39M worth of PEPE, MSTR, and APU after signing a "permit2" phishing signature.
Someone lost $2.47M worth of Aave Ethereum sDAI after signing a "permit" phishing signature.
Hiphop star Cardi B’s X account promotes meme token amid hack concerns .
Ordinals Wallet's X account was compromised and posted phishing tweets by Scam Sniffer.
KOR Protocol X account appears to have been compromised by Scam Sniffer.
Zulu Network official X account was been compromised by Scam Sniffer.
The “DEV#POPPER” scam targeting crypto and Blockchain developers by Antonio Perić-Mažar (Locastic).
Scams
Malware
Ransomware in 2024: Latest Trends, Mounting Threats, and the Government Response by TRM.
Hidden cryptocurrency mining and theft campaign affected over 28,000 users by Dr. Web.
FASTCash for Linux analysis by Double Agent. DPRK malware targeting traditional payment networks.
Contests
Blaz CTF 2004 - I Love REVMC writeup by push0ebp.
Media
Trust X Online - Securing Lending Protocols: The Aave Onion Security with Mooly Sagiv.
Unchained - Episode 715 - How North Koreans Infiltrated the Crypto Industry to Fund the Regime by Laura Shin.
Ryan Salame: Facing Prison for Donating to Trump, His Journey With SBF, & Why the Banks Hate Crypto. Covers a few interesting insider stories on the FTX meltdown, crypto, and political campaigning. Salame was asked to report to prison to start the 7.5 year sentence shortly following the interview.
Threatside podcast ep. #7 - Spearbit SR to LSR in 2 months with deadrosesxyz by deliriusz.
Threatside podcast ep. #6 - Operational security in Web3 with blockchomper by deliriusz.
Research
Investigating Hackers' Favorite Instant Crypto Exchange (eXch) by Fantasy.
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies by hackermondev.
Precision Loss Accumulation: The “Two Parser Bug” Lurking in the Shadows by Zhou Xianyuan.
Solidity Bugs Version Database by 00xsev.
SC-Bench: A Large-Scale Dataset for Smart Contract Auditing .
Ormer: A Manipulation-resistant and Gas-efficient Blockchain Pricing Oracle for DeFi .
Remeasuring the Arbitrage and Sandwich Attacks of Maximal Extractable Value in Ethereum .
From x*y=k to Uniswap Hooks; A Comparative Review of Decentralized Exchanges (DEX) .
LLM-SmartAudit: Advanced Smart Contract Vulnerability Detection .
BlockFound: Customized blockchain foundation model for anomaly detection .
What Is A Blockchain Unconfirmed Transaction? by ProgrammerSmart (Cyfrin).
Critical Risk in ECDSA: Key Recovery Attack by Ajayi Stephen (Hacken).
Investigating Balance Integrity in Aave Markets by Artem Ustinov, Dmitry Zakharov (MixBytes).
DeFi patterns: ERC20 token transfers Howto by Sergey Boogerwooger, Dmitry Zakharov (MixBytes).
Secure Random Number Generation in Blockchain Environments: Challenges, Solutions, and Best Practices by Olympix.
Session Key Validation: Revolutionizing Web3 Wallet Security Without Changing Wallets by Olympix.
First Day At Invariant School by Nican0r (Recon).
20 Common Solidity Beginner Mistakes by RareSkills.
The State Of Fraud Proofs In Ethereum L2s by Sm-Stack and BTC Penguin (2077 Research). Explores a variety of attack vectors on fraud proofs.
Tools
Masamune: The Smart Contract Security Search Tool. It’s a curated index of audit reports, bug fixes, and technical documentation for many protocols.
Introducing Aderyn's Language Server: Elevating Solidity Security with Real-time Feedback.
Guess ABI - guess ABI of any Ethereum contract, even if it is not verified on Etherscan. Works by analyzing the bytecode, extracting selectors from PUSH4/JUMPI instructions and comparing them to known ABI signatures.
Gauntlet App - in-depth dashboards for protocols and chains.
Uniswap Pool Playground by Eridian.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.