Greetings!

This week’s compromises were dominated by operational security issues, including supply chain attacks, private key theft, hot wallet drains, and social engineering.

The LottieFiles library supply chain attack was particularly noteworthy because it clearly targeted the cryptocurrency industry by injecting a drainer into all DeFi applications using this third-party library. Only 1inch publicly identified itself as a victim, but it’s likely there are many others. Front-end compromises are rare and are typically caught quickly by vigilant users. Similar incidents, such as Velvet Capital, Spooky, and others were all caused by reliance on external code that was included in their front-ends. This attack vector could be mitigated by freezing and self-hosting any external code while implementing a code review process for any updates or additions.

The rest of the compromises were massive hot wallet hacks such as the M2 Exchange ($13.7M) and MetaWin ($4M) hacks, as well as a private key theft that enabled infinite token minting on Sunray Finance ($2.8M). You can find detailed writeups and indicators in the premium section below.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Notably absent were hacks caused by smart contract exploitation. I had an opportunity to discuss this trend during my State of DeFi Security talk at DSS. Here are the Top 10 attack vectors plaguing the DeFi ecosystem:

Notice how the Stolen Private Keys vector significantly outweighs all others. When such exploits occur, we often lack a full understanding of the entire kill chain since much of the hack happens off-chain. Hidden within this off-chain fog are traditional security issues and exploitation methods, ranging from phishing to infrastructure hacks. As an industry, we must intensify our efforts to protect our projects.

Let’s dive into the news!

News

• TON Network Implements Critical Infrastructure Updates in 2024.10 Release.

• State of Vyper Security - September 2024. The Vyper ecosystem includes a number of initiatives ranging from automatic contract scanning, fuzzing, and monitoring for new contract deployments.

• Latest ‘Satoshi’ reveal turns into a debacle: Meet Stephen Mollah.

Crime

• Founder of Cryptocurrency Financial Services Firm "Gotbit" Indicted for Market Manipulation and Fraud Conspiracy. The indictment is the latest in DoJ’s “Operation Token Mirror” to crack down on market makers offering “pumping” services.

• Cryptocurrency firm founder pleads guilty to fraud after novel FBI probe. Liu Zhou’s, MyTrade, was involved in the fake market making offering above.

• NFT Developers Plead Guilty to $400,000 'Rug Pull’, Laundering and Wire Fraud. The scam involved the sale of Solana-based NFT collection Undead Apes, Undead Lady Apes, and Undead Tombstone.

• Operator of Unlicensed Virtual Currency Exchange AurumXchange Charged with Federal Money Laundering and Tax Crimes.

• Japanese man sentenced to 3 years after creating crypto ransomware with AI.

• Thailand Arrests Police Officers Accused of Staging Fake Interrogation to Extort 165,000 USDT.

• DWF Labs dismisses partner over drink spiking allegations, removes Eugene Ng from team page. More in Crossing the Line by Rekt.

• Nishad Singh avoids prison sentence for role in FTX.

Policy

• SEC Goes After Another Crypto Firm, Slaps Immutable With Wells Notice.

Phishing

• Wallet Security Ranking by Coinspect. A comprehensive study of most popular wallets based on a methodology which includes evaluation of default permissions, security capabilities, loss prevention.

• Truth Terminal Gone Wild by Rekt. Compromised X account resulted in a massive pump and dump costing investors $1.5M+.

Scams

• An investigation into @MrBeast ,how he allegedly made $10M+ by backing low-cap IDO crypto tokens promoted by influencers like Lark Davis, CryptoBanter, KSI, and others by SomaXBT.

• Election betting site Polymarket gives Trump a 67% chance of winning but is rife with fake ‘wash’ trading, researchers say.

• Scam token cloaking techniques by Daniel Von Fange.

• Crypto needs to increase defenses against 654% spike in deepfake scams.

Malware

• Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack by Checkmarx. The campaign used a malicious Python package named ‘cryptoaitools’ to steal data and rain wallets.

• OpenAI tool used to create voice bot that can drain crypto wallets.

• International Sting Unravels Malware Stealing Crypto and Financial Data. The DoJ campaign targeted Redline and META stealers.

Media

• Cowboy Kings of Crypto - The College Student Who Stole $7.5M via SIM Swapping by Vice. The story of Joel Ortiz and the SIM swapping spree.

• OpenSense - Philosophy of Fuzzing by Kris RenZo.

• Trust X Online - Growing as a Security Researcher with Hari.

• FIL Dev Summit - Glider: A new generation of blockchain tooling with Kasper Zwijsen.

Research

• Not so awesome Web3 Security Researcher roadmap by Tigran Piliposyan.

• 2 Million Protect Users by Shea Ketsdever. Covers the Flashbots Protect project’s history and future evolution.

• $150,000 Evmos Vulnerability Through Reading Documentation by Jay Jonah.

• Build secure Uniswap V4 Hooks in AVS by Damian Rusinek (Composable Security)

• Effective Targeted Testing of Smart Contracts.

• Across-Platform Detection of Malicious Cryptocurrency Transactions via Account Interaction Learning.

• Typosquatting 3.0: Characterizing Squatting in Blockchain Naming Systems.

• Examining Attacks on Consensus and Incentive Systems in Proof-of-Work Blockchains: A Systematic Literature Review.

• Wallet Security Ranking: A New Unique Tool for Web3 Safety.

• MEV Bot Guide: Making an Ethereum Arbitrage Trading Bot.

• Sorting Out the Bad Seeds: Automatic Classification of Cryptocurrency Abuse Reports.

• Detecting Malicious Accounts in Web3 through Transaction Graph.

• COBRA: Interaction-Aware Bytecode-Level Vulnerability Detector for Smart Contracts.

• Detection Made Easy: Potentials of Large Language Models for Solidity Vulnerabilities.

• Impact of Code Transformation on Detection of Smart Contract Vulnerabilities.

• Mapping the DeFi Crime Landscape: An Evidence-based Picture.

• Safe Smart Account 1.3.0 - A Deep Dive - PART 1 by gmhacker (Immunefi).

• DeFi Staking Explained: From Concept To Risks And Security by Hacker Hacken (Hacken).

• Modern DEX-es, how they're made: Balancer V3 by Sergey Boogerwooger, Artem Ustinov (MixBytes).

• Solana and Ethereum Security Models by Eduard Kotysh (Oak Security).

• Risk reduction redefined: How compromise assessment helps strengthen cyberdefenses by Kaspersky. Root cause analysis of web2 security incidents.

Tools

• DIY SEAL Wargames. Introducing the Security Alliance Wargames Drill Scenario Template by Isaac Patka and Kelsie Nabben. The open source repo includes the steps and tools our own team uses to run drills.

• Flashbots Protect dashboard on Dune.

• Immunefi Bug Bounties (ibb) - command-line tool to find and filter data on Immunefi Bug Bounty Programs.

• Merkle Proof Generator by Sean Connolly.

• Tornado Cash [Re-built]. This repository re-builds Tornado Cash for educational purposes as a Foundry project, and uses the latest versions of Circom (circomlib and circomlibjs) and snarkJS to generate proofs.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content