BlockThreat - Week 43, 2023
LastPass | Maestro | Astrid | UniPass | SEAL
LastPass users who once stored their mnemonic passphrases in the password managers continue getting drained following the August, 2022 compromise. More than $4.4m were stolen in a single day according to ZachXBT and Tay. The total stolen amount is constantly growing as more victims are coming forward.
An interesting trend is developing in DeFi security space where MEV bots are reverse engineered and exploited. In the case of MaestroBot compromise it was a classic security by obscurity with an unauthenticated and unchecked arbitrary call execution made accessible to the public.
On the more positive note, there was a lot of whitehat activity ranging from SEAL team volunteering tabletop exercises for DeFi projects, recovery of multiple vulnerable account abstraction wallets, evil MEV bot backrunning, and plenty of bug bounty reports. Hurray to the blockchain security heroes! You are the reason billions will be using crypto without the fear of hacks and scams.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
SEAL Drills program helps DeFi projects practice incident response scenarios. Compound and Yearn had IR practice runs so far.
They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird by Andy Greenberg (Wired).
SIM Swappers Are Working Directly with Ransomware Gangs Now by Joseph Cox (404 Media).
This Cybersecurity Pro Gets Paid to Hack Ethereum – for the Good of the Network featuring David Theodore (Ethereum Foundation).
Protecting Web3 - 2023 Q3 Security Insights by Hacken.
US Lawmakers Ask DOJ to Consider Criminal Charges Against Binance and Tether based on allegation of facilitating terrorist financing.
Scammers steal Cryptopunk 1705 from Julien Bouteloup (Rekt) in an Earn Airdrop phishing scam.
StripedFly: Perennially flying under the radar by Kaspersky.
ETHOnline 2023 - Security Summit - Why Crypto Security Matters with Jack Sanford (Sherlock).
ETHOnline 2023 - Security Summit - Live Audit with Patrick Collins (Cyfrin).
ETHOnline 2023 - Security Summit - Formal Verification with DeFi with Sameer Arora.
ETHOnline 2023 - Security Summit - Why DevSecOps is Essential to Blockchain Security with Samridh Saluja.
ETHOnline 2023 - Security Summit - Securing Validating Bridges with Toghrul Maharramov.
Scraping Bits - Building A Thriving Solo Smart Contract Auditing Brand - Ft Bytes032
Oracle Manipulation | Web3 Security 101 by Owen Thurm.
Fireblocks researchers uncover first Account Abstraction wallet vulnerability. Kudos to Oren Yomtov for savings users’ funds.
How I saved 66 ETH from a potential MEV bot theft by yannickcrypto.
A Deep Dive into our Storage Layout Extractor by Tal (smlXL).
OWASP Smart Contract Top 10 by AnonX.
MEV zero to hero thread by Smacaud.
A deep dive into the main components of ERC-4337: Account Abstraction Using Alt Mempool — Part 2 by Antonio Viggiano (Oak Security).
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.