Greetings!

Lot’s of DeFi-related incidents this week.

MEV bot attacks continue following the $500,000 MaestroBot compromise. This time, users which approved funds to Unibot lost $640,000 after the first exploit led to a wave of copycats. Both MEV bots were compromised using the same exploit vector. Security by obscurity does not work. Source code or not, attackers will find the way once the TVL is sufficiently attractive.

Onyx Protocol fell for a well known exploit in Compound forks which allowed attackers to inflate token values in an empty pool.

Monero community wallet drained of $437,000. The news comes more than 2 months after the incident and a month after it was detected.

FRAX was hit with DNS hijacking. Multimillion projects should be migrating to more secure solutions for domain hosting as discount entities like Name.com can’t be trusted to protect your Dapp.

More weirdness with Multichain which reopened briefly without any announcement which allowed a trader to arbitrage depegged tokens for a $1m profit.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

In other news, MDC Brooklyn is becoming a crypto crime destination after Avi Eisenberg was moved there to await his trial along side SBF.

Some positive news, Paradigm CTF was a success and the newsletter features a number of great writeups. Breakpoint conference also features a number of security related presentations which are featured below to save you time. There is a lot more of course, so check out the Research section for plenty of bug bounty reports and plenty of articles exploring the blockchain security frontier.

On the personal side, I am now the father of a beautiful daughter so future editions will be coming at a slower pace as I catch up on sleep and many diaper changes.

Stay safe out there and let’s dive into the news!

Events

• TrustX 2023, November 13 and 14, 2023

• BlazCTF by Fuzzland on December 1st, 2023.

News

• AAVE V2 pools haulted after a critical vulnerability report. All forks should disable stable borrows and be on high alert for potential exploitation.

• North Korean Hackers Targeting Crypto Experts with KANDYKORN macOS Malware.

• WalletConnect restricts service in Russia following OFAC guidance.

• Elliptic quietly changed terrorist financing numbers without retraction.

• User pockets $1m after Multichain bridge mysteriously restarts — then stops again.

• Cryptojackers steal AWS credentials from GitHub in 5 minutes.

• J5 countries host “Cyber Challenge”focused on data mining and financial reporting with a focus on cryptocurrency taxation.

• Future of Finance: Kraken’s Percoco breaks down crypto security and explains why Americans are targeted so often by scammers.

• Forty countries agree to stop paying cyberattack ransoms at US summit.

Crime

• Sam Bankman-Fried found guilty on all seven criminal fraud counts.

• Mango Markets exploiter Avaraham Eisenberg moved to SBF's prison, trial delayed.

• FTX Is Handing Over Customer Crypto Trading Data to the FBI.

• Florida man jailed after draining $1M from victims in crypto SIM swap attacks.

• Taiwan police bust 324.2 million USDT money laundering operation.

• Indian Police Arrest 8 More in $300M Crypto Scam including four of their own.

• SafeMoon executives arrested after DOJ, SEC allege they misappropriated millions, buying luxury cars and real estate. SafeMoon was exploited for $8.9m in March after a contract upgrade introduced an arbitrary burn functionality.

• Treasury Designates Virtual Currency Money Launderer for Russian Elites and Cybercriminals. Ekaterina Zhdanova.

• Ryder Ripps must pay $1.6m in damages in Yuga Labs copycat NFT lawsuit.

• Police track $200K bitcoin robbery in Scottish first.

Scams

• Scammers throw a nightclub party in honor of ZachXBT.

• Fake Ledger Live app in Microsoft Store steals $768,000 in crypto.

Malware

• KANDYKORN malware report by Elastic Security Labs which is used by DPRK to target blockchain professionals.

Contests

• Paradigm CTF 2023 is over. Congrats to Offside Labs, KALOS, ChainLight, and many amazing teams.

  • Paradigm CTF 2023 Writeups by ChainLight.

  • Paradigm CTF 2023 Writeups by fuzzland.

  • Paradigm CTF 2023 Writeups by KALOS.

    • Paradigm CTF 2023 Writeups by minaminao.

    • Paradigm CTF 2023: "Cryptography Challenges" by rkm0959.

    • Paradigm CTF 2023 Writeups by jade.

  • Paradigm CTF 2023 Writeups by Ashiq.

  • Paradigm CTF 2023 Solutions by Aviksaikat.

  • Kiln's solutions to Paradigm CTF 2023.

  • Paradigm CTF 2023 Writeups Part 1 and Part 2 by Inspex.

  • Paradigm CTF 2023 Challenges Writeup by Faith.

  • Paradigm CTF 2023 - Dragon Tyrant Solution by ChainSecurity.

  • Paradigm CTF 2023 - Dragon Tyrant Solution by Voidcenter.

  • Paradigm CTF 2023 - Black Sheep Writeup by McToady.

• Ethernaut

  • Ethernaut Foundry Solutions by JohnnyTime.

Media

• EVM Low Level Vulnerabilities by vn_martinez.

• Breakpoint 2023 Security Related Talks:

  • Breakpoint 2023: An Inside Look into the Past and Future of Solana Security.

  • Breakpoint 2023: A Security Day Fireside Chat with Anatoly Yakovenko and Thomas Lambertz.

  • Breakpoint 2023: Auditor's Panel.

  • Breakpoint 2023: Back to The Future: What Bugs You Can Expect in Your Project.

  • Breakpoint 2023: The Good, The Bad, and The Vulnerable: Navigating Common Pitfalls in Solana Program.

  • Breakpoint 2023: Safe SBF Programs.

  • Breakpoint 2023: Securing Firedancer.

  • Breakpoint 2023: Fuzzing, Formal Methods, and a Loss of Funds.

  • Breakpoint 2023: Riverguard: Fishing for Loss of Funds in the Stream of Solana Transactions.

  • Breakpoint 2023: Critical Security Considerations for Web3 Builders.

  • Breakpoint 2023: Web3 Security and Best Practices.

  • Breakpoint 2023: Security in Web3: Ensuring User Protection in a Decentralized World.

  • Breakpoint 2023: When Are You Going to Get Serious About Security?

  • Breakpoint 2023: Security Considerations from RPC Providers.

  • Breakpoint 2023: How to use Artificial Intelligence to improve Smart Contract Security.

Research

• Uncovering a ZK-EVM Soundness Bug in zkSync Era by ChainLight.

• Aztec Connect Claim Proof Bug by Aztec.

• When bug-fixes go wrong: RAI debt auctions bug by VNMRTZ.

• On-chain MEV-bot fight live commentary by MevRefund.

• Extracting Blockchain Data with Cryo by Bowtieddevil.

• Smart Contract Security Audits by Lumin Finance and Krum Pashov.

• Immunefi Bug Bounty Writeups List by sayan011.

• Cryptocurrency Privacy Technologies: Confidential Transaction Values by Patrick Drotleff.

• Thorns in the Rose: Exploring Security Risks in Uniswap v4's Novel Hook Mechanism by BlockSec.

• So you want to use TWAP? by Chinmay.

• ECDSA signature vulnerabilities by 0xbok.

• Deploy and Upgrade Smart Contract Securely with Defender 2.0 by OpenZeppelin by JohnnyTime.

• Metamask Snaps: Playing in the Sand by OtterSec.

• Survey on Quality Assurance of Smart Contracts.

• My Personal Security Researcher Toolbox by Mihailo Rudenko.

Tools

• Minitel - raw transaction decoder.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content