BlockThreat - Week 46, 2023
Kronos | dYdX | Multichain | Trader Joe | Shiba Inu
About $35M were stolen this week across six compromises. A really high amount, but a relatively quiet week in the world of DeFi. Let’s explore some of the more interesting hacks, but first a word about this week’s sponsors. May be the amount above would have been much lower if only projects used BlockSec’s Phalcon Block?
Phalcon Block offers a comprehensive set of tools designed for monitoring, detecting, and responding to web3 compromises. Developed over the course of two years, it has already been utilized to rescue digital assets valued at over $14 million.
What sets this product apart from its competitors is its high signal-to-noise ratio, achieved through a precise attack detection engine and advanced auto-response capabilities — crucial for minimizing losses in a space where exploits can be executed within minutes.
Want to get the word out about your blockchain security related product or company? Consider sponsoring the next edition.
Back to the top hacks of the week. Kronos lost $26,000,000 following API key compromise. A related Woo Network entity was previously targeted by North Korean actors with a phishing campaign.
dYdX experienced a highly profitable trading strategy treatment to the tune of $9,000,000. MDC Brooklyn may need to open up another cell next to Avi and Sam.
Multichain lost another $260,000 due to insufficient function access control vulnerability. That’s just embarrassing, especially for a protocol that was already hacked 6 times in the past 3 years.
Trader Joe and Spooky Finance front-end compromises serve as a reminder to carefully vet and freeze web2 dependencies in your Dapps.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Oh and be sure to check out SEAL Team’s Crisis Handbook template in the Research section to be used in case of an incident to help manage the investigation.
Let’s dive into the news!
If you created a bitcoin wallet before 2016, your money may be at risk. A vulnerability in BitcoinJS library used to generate wallets was disclosed by Unciphered. More details on Randstorm page.
The True Origin of Hacks - Top Web3 Vulnerabilities by Immunefi.
Delaware authorities reported the authors of fake BlackRock XRP filing to law enforcement. The fake filing was used to create a massive XRP price rally.
Bloomberg Crypto X/Twitter account was hijacked with a phishing link.
Crisis Handbook - Smart Contract Hack by SEAL Team.
Account Abstraction Security Guide by ChainLight.
Gas Optimization In Solidity: Strategies For Cost-Effective Smart Contracts by Tiutiun Roman and Malanii Oleh (Hacken).
EVM Hound by g00dv1n is a minimalistic inimalistic Rust library to extract all potential function selectors from EVM bytecode without source code.
Roundme by Crytic is a human-assisted rounding analyzer. It helps its operator determine whether an arithmetic operation should round up or down.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.