BlockThreat - Week 44, 2023
Unibot | Onyx | FRAX | Monero | Multichain | AAVE | Paradigm CTF | Breakpoint
Lot’s of DeFi-related incidents this week.
MEV bot attacks continue following the $500,000 MaestroBot compromise. This time, users which approved funds to Unibot lost $640,000 after the first exploit led to a wave of copycats. Both MEV bots were compromised using the same exploit vector. Security by obscurity does not work. Source code or not, attackers will find the way once the TVL is sufficiently attractive.
Onyx Protocol fell for a well known exploit in Compound forks which allowed attackers to inflate token values in an empty pool.
Monero community wallet drained of $437,000. The news comes more than 2 months after the incident and a month after it was detected.
FRAX was hit with DNS hijacking. Multimillion projects should be migrating to more secure solutions for domain hosting as discount entities like Name.com can’t be trusted to protect your Dapp.
More weirdness with Multichain which reopened briefly without any announcement which allowed a trader to arbitrage depegged tokens for a $1m profit.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
In other news, MDC Brooklyn is becoming a crypto crime destination after Avi Eisenberg was moved there to await his trial along side SBF.
Some positive news, Paradigm CTF was a success and the newsletter features a number of great writeups. Breakpoint conference also features a number of security related presentations which are featured below to save you time. There is a lot more of course, so check out the Research section for plenty of bug bounty reports and plenty of articles exploring the blockchain security frontier.
On the personal side, I am now the father of a beautiful daughter so future editions will be coming at a slower pace as I catch up on sleep and many diaper changes.
Stay safe out there and let’s dive into the news!
AAVE V2 pools haulted after a critical vulnerability report. All forks should disable stable borrows and be on high alert for potential exploitation.
Elliptic quietly changed terrorist financing numbers without retraction.
J5 countries host “Cyber Challenge”focused on data mining and financial reporting with a focus on cryptocurrency taxation.
Indian Police Arrest 8 More in $300M Crypto Scam including four of their own.
SafeMoon executives arrested after DOJ, SEC allege they misappropriated millions, buying luxury cars and real estate. SafeMoon was exploited for $8.9m in March after a contract upgrade introduced an arbitrary burn functionality.
Scammers throw a nightclub party in honor of ZachXBT.
KANDYKORN malware report by Elastic Security Labs which is used by DPRK to target blockchain professionals.
Paradigm CTF 2023 is over. Congrats to Offside Labs, KALOS, ChainLight, and many amazing teams.
Paradigm CTF 2023 Writeups by ChainLight.
Paradigm CTF 2023 Writeups by fuzzland.
Paradigm CTF 2023 Writeups by KALOS.
Paradigm CTF 2023 Writeups by Ashiq.
Paradigm CTF 2023 Solutions by Aviksaikat.
Paradigm CTF 2023 Challenges Writeup by Faith.
Paradigm CTF 2023 - Dragon Tyrant Solution by ChainSecurity.
Paradigm CTF 2023 - Dragon Tyrant Solution by Voidcenter.
Paradigm CTF 2023 - Black Sheep Writeup by McToady.
Ethernaut Foundry Solutions by JohnnyTime.
EVM Low Level Vulnerabilities by vn_martinez.
Breakpoint 2023 Security Related Talks:
Uncovering a ZK-EVM Soundness Bug in zkSync Era by ChainLight.
Aztec Connect Claim Proof Bug by Aztec.
On-chain MEV-bot fight live commentary by MevRefund.
Extracting Blockchain Data with Cryo by Bowtieddevil.
Smart Contract Security Audits by Lumin Finance and Krum Pashov.
Immunefi Bug Bounty Writeups List by sayan011.
Cryptocurrency Privacy Technologies: Confidential Transaction Values by Patrick Drotleff.
So you want to use TWAP? by Chinmay.
ECDSA signature vulnerabilities by 0xbok.
Metamask Snaps: Playing in the Sand by OtterSec.
My Personal Security Researcher Toolbox by Mihailo Rudenko.
Minitel - raw transaction decoder.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.