Greetings!

More than $60M was stolen this week across six incidents. Smart contract exploitation has returned with a vengeance. Attack vectors such as price oracle and reward manipulation, function parameter validation flaws, and others netted attackers millions of dollars. Let’s examine some of the most notable compromises.

As in the past, one of the largest hacks involved private key theft—but this one had a twist. Dexx, a trading terminal for memecoins on Solana, stores private keys for its users. Private key storage is inherently risky, and when the platform was hacked, thousands of user wallets were drained, resulting in losses of at least $21M.

Now, onto smart contract hacks. A long-standing debate continues over which smart contract platform is safer. The massive $25.5M Thala compromise on the Aptos chain underscores a critical observation: compiler-level features won’t protect against rushed patches that disrupt LP pricing updates.

Price oracle issues impacted three projects this week, with Polter Finance hit the hardest. A classic price oracle manipulation of an LP pool led to a $7M theft on the Fantom chain. Meanwhile, ZK Finance took price oracle exploitation to a new level by hardcoding WBTC to $58K during a post-election rally. Oops.

Detailed information about these incidents, along with insights into DeltaPrime, vETH, and other compromises, can be found in the premium section below.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

Events

• Daily Warden and Daily Warden Rust categorize ongoing bug hunting events.

• ETH Rangers - Incentivizing Public Goods Security Work for the Ethereum Ecosystem by the good folks at The Red Guild.

News

• More bug bounty tension between TrustSec and Immunefi. One side is claiming unfair concealment and closure of a vulnerability while the other calls out repeated attempts at manipulation with a 90-day ban as a consequence. With hundreds of thousands at stake both bug hunters and projects often get into heated debates over bug validity and severity.

• T-Mobile confirms it was hacked in recent wave of telecom breaches. The compromise is part of a larger breach of basically every telecom company in US by Chinese nation state actors.

• On election night Polymarket’s 26 year old founder was on top of the world. 8 days later the FBI raided his home and his future is in jeopardy.

• Phantom warns iOS users of wallet 'app resets' after update, urges recovery phrase backup.

• FBI seizes Polymarket CEO's phone and electronics.

Crime

• Delhi Police Arrests Bengal Man in ₹2000 Cr WazirX hack. The suspect, SK Masud Alam, appears to be just a mule who sold his WazirX account to the real hackers associated with DPRK. I guess it’s good to celebrate even small victories, but this is not a major development in the case.

• Operator of ‘Bitcoin Fog’ Sentenced to More Than 12 Years in Prison for Running Notorious Darknet Cryptocurrency Mixer. Roman Sterlingov was the only defendant in the series of recent sentencing who did not plead guilty.

• Operator of Helix Darknet Cryptocurrency “Mixer” Sentenced in Money Laundering Conspiracy and Ordered to Forfeit Over $400M in Assets. Larry Harmon received just a three-year sentence for his testimony against Bitcoin Fog’s Roman Sterlingov.

• Ilya Lichtenstein Sentenced to 60 Months For Roles In Bitfinex Hack in “Razzlekhan” Case, As Government Recovers About $10 Billion in Stolen Funds. Ilya Lichtenstein made a similar testimony against Roman Sterlingov.

• In Murky Waters by Rekt. A deep dive into Nawaaz Mohammad Meerun aka Humpy the Whale spree of governance attacks against major DeFi protocols.

• South Korea arrests 215 individuals in $232 million crypto fraud scheme.

• China and St. Kitts and Nevis dual citizen pleads guilty in $73 million ‘pig butchering’ crypto scam.

• Body found in Montreal park identified as kidnapped 25-year-old crypto influencer: reports.

• Singaporean Accused Of $230M Crypto Scam Seeks ‘Speedy Trial’ In US. Malone Lam is one of the two perpetrators recently indicted by US DoJ.

Policy

• SEC Crypto Enforcement Slated for Major Rollback Under Trump.

• Republican State AGs and DeFi Lobby Sue SEC Over Crypto Enforcement Actions.

Phishing

• Phishing scam via fake Zoom link costs GIGA investor $6M.

• Trader who lost $26M to copy-paste error says it’s been ‘max pain’.

• How to stay safe on-chain: Three crypto users lose $876K within hours.

• Streamer flashes a fake seed phrase to stage a fake wallet draining.

• CZ’s Giggle Academy X account has been hacked.

Scams

• The Best Use of AI Ever: A 'Grandma' Built To Waste Telescammers’ Time.

• Bay Area woman loses over $1 million in crypto scam.

• List of accounts affiliated with the Solana Syndicate and their associated rug pulls by Crypto Rug Muncher.

• Investigating MrBeast by Coffeezilla. A more balanced investigation based on SomaXBT’s tweet thread as well as the investigation conducted by Loock.

Malware

• APT Actors Embed Malware within macOS Flutter Applications by Jamf Threat Labs. DPRK malware targets the crypto industry with enticing app names like “New Updates in Crypto Exchange”.

Contests

• The Phishing Dojo by The Red Guild. Face notorious phishing and scam threats in the crypto space, in this unique set of interactive quizzes.

• OpenZeppelin’s Ethernauts adds two new levels: Impersonator and Magic Animal Carousel.

Media

• Devcon 7 in Bangkok featured an amazing collection of security and privacy talks. You can find the recordings as they get uploaded here.

• The Web3 Watchdogs - Episode #2: Adam Healy. A great discussion data breaches, Web2 and Web3 security, and critical security practices.

• Security Trybe - Exploition Data/OTP using IVR.

Research

• Killing Filecoin nodes by Simone Monica (Trail of Bits).

• Mastering Effective Test Writing for Web3 Protocol Audits by Dmitry Zakharov, Sergey Boogerwooger (MixBytes).

• A Comprehensive Analysis of Smart Contract Security Approaches: Auditing, Mutation Testing, Formal Verification, and Fuzzing by Olympix.

• ZkSync-PreviousBugs repository by Arsen. A collection of previously discovered bugs in ZkSync.

• Bounties-Exploit-Bugs repository by Arsen. A collection of explanation for previously exploited DeFi bugs.

• Count of Monte Crypto: Accounting-based Defenses for Cross-Chain Bridges.

• XChainWatcher: Monitoring and Identifying Attacks in Cross-Chain Bridges.

• Examining Attacks on Consensus and Incentive Systems in Proof-of-Work Blockchains: A Systematic Literature Review.

• Smart-LLaMA: Two-Stage Post-Training of Large Language Models for Smart Contract Vulnerability Detection and Explanation.

• Semantic Sleuth: Identifying Ponzi Contracts via Large Language Models.

• SmartInv: Multimodal Learning for Smart Contract Invariant Inference.

• 10 Must-Read Papers That Shaped Modern Zero-Knowledge Proofs - ZKSECURITY.

• Dave: a decentralized, secure, and lively fraud-proof algorithm.

Tools

• EVMole online. Extracts function selectors from EVM bytecode, even for unverified contracts.

• DevSecOps Toolkit, a curated container with the most popular tools we've tried ourselves and by recommendation by The Red Guild. Also check out the complementary DevSecOops handbook.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content