Greetings!

Only one DeFi exploit the week of the DeFi Security Summit. Is it a coincidence, or are the hackers busy traveling to Bangkok to mingle with other security professionals? As I mentioned in a recent talk, there is one category of attackers - the crypto natives - that are most certainly participating in the same events as the rest of us. Could they be inspired by the many talks, particularly the many inspiring SEAL releases, to change their ways and join the good side? I certainly hope so. In the meantime, be sure to check out the Media section below for live recordings of many fantastic sessions.

In other news, scammers are getting increasingly creative, using reflective XSS to push drainers and sending out fake Devcon event invitations with phishing links. Meanwhile, in-person attacks on crypto owners continue at an alarming rate, with two incidents reported this week.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• ThorChain switched to a self-hosted bug bounty program following a disagreement to pay a $270K bounty on Immunefi. I hope there is some outlet for legitimate bug reports so we don’t have a repeat of 2021.

• FBI Warning: Cybercriminals Are Stealing Cookies to Bypass Multifactor Authentication.

• How much bitcoin will Ross Ulbricht have if Trump sets him free?

• An Okta login bug bypassed checking passwords on some long usernames.

Crime

• Ukrainian robbed of B8m in digital money in Phuket.

• WonderFi CEO Safe After Paying $720,000 Ransom to Kidnappers.

• Additional details revealed in Humpy the Whale governance attack against Compound and other entities.

• DOJ and FBI Charge and Arrest Nigerian National In Case Involving $2.4 Million Romance Scam by TRM.

Phishing

• Multiple reports of a scam campaign targeting Devcon attendees using fake Eventbrite invites used to distribute malicious NFT minting invites.

• Reflected XSS used in inject a sol drainer into PlayHoneyland website.

• Illicit Fund Flow Case Study: $55M DAI Phishing by BlockSec.

Scams

• Pump and Dump: SHAR by BlockSec.

• Under the Influence by Rekt.

Malware

• BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence by Sentinel One. The campaign, called ‘Hidden Risk’, uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file

• Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages.

• New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency.

Media

• DeFi Security Summit 101 recording.

• DeFi Security Summit Day 1 and Day 2 recordings.

• How to Make It In Web3 Auditing Contests w. Holydevoti0n by JohnnyTime.

• Threatside - Work hard, rest genuinely | windhustler | Threatside podcast ep. #9 by deliriusz.

Research

• OpenZeppelin Library Vulnerabilities collection.

• My Web3 Security & Privacy Stack by OfficerCia.

• Swaylend pool lockout writeup by ExVuln.

• Solana Token-2022 Security Vulnerabilities by 0xFrankCastle.

• Solana Data RPC Guide - Blocks, Tokens, Transfers, and More by Pat Doyle.

• Token-2022 Security Best Practices - Part 2: Extensions by Offside Labs.

• My 2+ months of bug bounty hunting: lessons learned by Sev.

• From x*y=k to Uniswap Hooks: A Comparative Review of Decentralized Exchanges (DEX).

• Strengthening DeFi Security: A Static Analysis Approach to Flash Loan Vulnerabilities.

• LLM-SmartAudit: Advanced Smart Contract Vulnerability Detection.

• Maximal Extractable Value in Decentralized Finance: Taxonomy, Detection, and Mitigation.

• DeFi Lending & Borrowing Risk Framework by Chain Risk.

• VaR Methodology by Chain Risk. Value at Risk (VaR) methodology to gauge potential losses in DeFi projects.

• Modern DEXes, how they're made: Curve StableSwapNG by Sergey Boogerwooger, Pavel Morozov (MixBytes).

• Uniswap V4 vs V3: Architectural Changes and Technical Innovations with Code Examples by Giovanni Di Siena (Cyfrin).

• Securing Secp256k1 ECDH Against Small Subgroup Attacks by Ajayi Stephen (Hacken).

• Find Highs Before External Auditors Using Invariant Fuzz Testing by Dacian.

• SlowMist: Compound Finance V2 Security Audit Manual.

Contests

• Web3 Security Tutorial - Bank Challenge by Al Qa qa.

Tools

• Hacks Dashboard by Dune. A comprehensive dashboard tracking scams, phishing, and hacks from multiple resources.

• RiskEVM - Chainrisk Simulation Engine. A powerful testing tool specifically designed to simulate real-world DeFi market scenarios with a high level of accuracy and efficiency.

• Using Simbolik for Solidity Debugging by Raoul Schaffranek.

• Turning invariant testing into alerts using Recon.

• Cyfrin Audit Checklist with Ai.

• Solar is an implementation of the Solidity compiler, in Rust by Georgios Konstantopoulos.

• Cross-Chain Token Recovery Registry by Codeislight1. This repository lists projects capable of recovering funds accidentally sent on the wrong chain if the nonce remains unused on the affected chains and the original deployer's private key is still available.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content