BlockThreat - Week 42, 2023
Fantom | HopeLend | Synthetify | MicDAO | Coins.ph
HopeLend rounding error vulnerability was exploited for more than $850K. Luckily the exploit transaction was in a public mempool which was promptly front-ran by a MEV bot which returned all of its profits. This once again proves the enormous utility of generalized front-running bots to securing web3 projects in the midst of an exploit.
TrueUSD revealed a PII leak back in September due to a “third party breach”. If that sounds familiar, September was the month of when multiple projects announced similar breaches likely due to the Retool hack on August 29, 2023. The hack may have also resulted in private key theft as one of the TUSD deployer addresses was used to create an unauthorized token.
Synthetify governance hack reminds us that project decentralization does not make it magically safe without security controls to analyze every single proposal and setting reasonable quorum parameters.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
On the web2 side, projects and exchanges using Okta for authentication should be on high alert after the recent compromise. Oh and be sure to read up on the tactics used by North Korea to gain employment at your company. Who needs exploits or phishing emails when you are just handed the keys from the inside?
Let’s dive into the news!
Paradigm CTF 2023 on October 28, 2023.
Hackers Stole Access Tokens from Okta’s Support Unit. The breach was originally discovered by BeyondTrust on October 2nd, which was later confirmed by Okta in a blog post with detailed indicators. Please review 1Password’s incident report for information how attackers will attempt to gain access to your Okta admin session.
Inside a $30 Million Cash-for-Bitcoin Laundering Ring in the Heart of New York by Joseph Cox (404).
Web3 game project allegedly hired actors to pose as executives in $1.6M exit scam. Fintoch aka Standard Cross Finance scammers strike again.
Qubitstrike - An Emerging Malware Campaign Targeting Jupyter Notebooks by Cado Security.
The secret life of Jimmy Zhong, who stole – and lost – more than $3 billion by Eamon Javers and Paige Tortoreli (CNBC).
Scraping Bits - Reverse Engineering Contracts with Jon Becker.
Smart Contract Shadow Audit in CodeHawks with Kristian Apostolov.
Gateway Free Web3 Security Course by Guardian Audits (Owen Thurm).
Cryptocurrency Privacy Technologies: Borromean Ring Signatures by Patrick Drotleff.
Exploiting EC-Recover For Efficient Borromean Ring Signatures by Patrick Drotleff.
Upgradeable Smart Contracts (USCs): Exploring The Concept And Security Risks by Palamarchuk Roman and Malanii Oleh (Hacken).
Bounty Program Helps Fix Contract Vulnerability by Łukasz Zimnoch (Threshold) on arbitrary minting vulnerability in tBTC.
Slither 0.10.0 adds support for Vyper and includes additional detectors.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.