BlockThreat - Week 42, 2023
Fantom | HopeLend | Synthetify | MicDAO | Coins.ph
Greetings!
HopeLend rounding error vulnerability was exploited for more than $850K. Luckily the exploit transaction was in a public mempool which was promptly front-ran by a MEV bot which returned all of its profits. This once again proves the enormous utility of generalized front-running bots to securing web3 projects in the midst of an exploit.
TrueUSD revealed a PII leak back in September due to a “third party breach”. If that sounds familiar, September was the month of when multiple projects announced similar breaches likely due to the Retool hack on August 29, 2023. The hack may have also resulted in private key theft as one of the TUSD deployer addresses was used to create an unauthorized token.
Synthetify governance hack reminds us that project decentralization does not make it magically safe without security controls to analyze every single proposal and setting reasonable quorum parameters.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
On the web2 side, projects and exchanges using Okta for authentication should be on high alert after the recent compromise. Oh and be sure to read up on the tactics used by North Korea to gain employment at your company. Who needs exploits or phishing emails when you are just handed the keys from the inside?
Let’s dive into the news!
Events
Paradigm CTF 2023 on October 28, 2023.
News
Hackers Stole Access Tokens from Okta’s Support Unit. The breach was originally discovered by BeyondTrust on October 2nd, which was later confirmed by Okta in a blog post with detailed indicators. Please review 1Password’s incident report for information how attackers will attempt to gain access to your Okta admin session.
How North Korean Workers Tricked U.S. Companies into Hiring Them and Secretly Funneled Their Earnings into Weapons Programs by Kim Zetter (Zero Day).
Lightning Network Developer Warns About Major Vulnerability, Abandons Security Tasks.
TrustToken/TrueUSD revealed customer KYC leak affecting almost 45,000 customers due to a third party breach back in September. This could be another victim of the Retool hack on August 29, 2023.
Atomic Wallet freezes $2M in ‘suspicious deposits’ on exchanges.
Terror
Correcting the Record: Inaccurate Methodologies for Estimating Cryptocurrency’s Role in Terrorism Financing by Chainalysis.
Treasury Sanctions Gaza-based virtual currency exchange BuyCash in wake of Hamas attacks by TRM.
Palestinian jihadists received USDT via Binance, says Israel.
Crime
Dormant $144M in Bitcoin From Defunct Abraxas Darknet Market Moved After Years of Inactivity.
From High Life Hackers to National Menace: The Rise and Fall of Digital Bandits 'ACG' by Joseph Cox (404).
Inside a $30 Million Cash-for-Bitcoin Laundering Ring in the Heart of New York by Joseph Cox (404).
Four suspects face death penalty in South Korea crypto murder case.
Scams
Unveiling the Deceptive ‘Angel Drainer’ Phishing Gang & Proactive Strategies to Stay One Step Ahead! by SlowMist.
Web3 game project allegedly hired actors to pose as executives in $1.6M exit scam. Fintoch aka Standard Cross Finance scammers strike again.
California bill aims to cap crypto ATM withdrawals at $1K per day to combat scams.
Namibian Police Arrest 20 Ringleaders of Local Pig Butchering Crypto Scam.
Malware
ClearFake: a newcomer to the “fake updates” threats landscape by Sekoia.
Qubitstrike - An Emerging Malware Campaign Targeting Jupyter Notebooks by Cado Security.
Media
The secret life of Jimmy Zhong, who stole – and lost – more than $3 billion by Eamon Javers and Paige Tortoreli (CNBC).
Scraping Bits - Reverse Engineering Contracts with Jon Becker.
Smart Contract Shadow Audit in CodeHawks with Kristian Apostolov.
Research
Gateway Free Web3 Security Course by Guardian Audits (Owen Thurm).
What Are the Common Characteristics of Recent Web3 Attacks, and How Can Projects Avoid These Issues? by Beosin.
Cryptocurrency Privacy Technologies: Borromean Ring Signatures by Patrick Drotleff.
Exploiting EC-Recover For Efficient Borromean Ring Signatures by Patrick Drotleff.
Upgradeable Smart Contracts (USCs): Exploring The Concept And Security Risks by Palamarchuk Roman and Malanii Oleh (Hacken).
Retrospecting Arbitrary Position Cancellation Vulnerability in Perpetual Protocol by ChainLight.
Bounty Program Helps Fix Contract Vulnerability by Łukasz Zimnoch (Threshold) on arbitrary minting vulnerability in tBTC.
Whitepapers
Towards Understanding and Characterizing the Arbitrage Bot Scam In the Wild.
Large Language Model-Powered Smart Contract Vulnerability Detection: New Perspectives.
AChecker: Statically Detecting Smart Contract Access Control Vulnerabilities.
DeFiWarder: Protecting DeFi Apps from Token Leaking Vulnerabilities.
Your Exploit is Mine: Instantly Synthesizing Counterattack Smart Contract.
Automated Generation of Security-Centric Descriptions for Smart Contract Bytecode.
DeFiTainter: Detecting Price Manipulation Vulnerabilities in DeFi Protocols.
Turn the Rudder: A Beacon of Reentrancy Detection for Smart Contracts on Ethereum.
Confusum Contractum: Confused Deputy Vulnerabilities in Ethereum Smart Contracts.
Characterizing Cryptocurrency-themed Malicious Browser Extensions.
Tools
Slither 0.10.0 adds support for Vyper and includes additional detectors.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.