Greetings!

A relatively quiet week with $1.8M losses across 13 incidents. Malicious governance proposal attacks continue with two more projects hit within days of each other.

Velodrome/Aerodrome Dapps were DNS hijacked twice serving as a great reminder that discount domain registrar, Porkbun, have no business managing multi-million business domains.

Fulcrum is back from the dead with a price oracle manipulation netting an attacker $200K. The same project was famously targeted with similar exploit vector as far back as 2020 before losing it all a year later. French speaking attacker left an appropriate message to honor the dead giant:

Chapardez le cadavre, négociez avec les fantômes

In other news, the “code is law” debate continue with a curious case of Platypus compromise back in February, 2023. The criminal duo behind the hack not only mess up their exploit contract by locking most of the stolen funds, but also operated from an address linked to their ENS account leading to their arrest by the French police a few days later. Now the French court decided unauthorized use of publicly accessible smart contracts is not illegal and acquitted them of all criminal charges. I hope this doesn’t create a precedent for future legal cases. Good luck to French DeFi projects and a one way invite for the two brothers to visit US for a job interview.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Okta reports that 100% of customer support users had their data stolen, not just 1% in the previous report.

Crime

• Platypus Finance hackers cleared of criminal charges.

• Code Is Not (Always) Law by Daniel Kuhn (CoinDesk).

• Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus.

• Spain arrests a man wanted by US over North Korea crypto conspiracy.

• SIM swapper gets 8 years in prison for account hacks, crypto theft. The culprit impersonated Apple Support to steal $386K worth of crypto.

• Roseau County couple stole vast amounts of electricity to run bitcoin farm.

• DOJ Files Action to Recover $54 million in Crypto Laundered by Convicted Drug Trafficker.

Policy

• Binance's 'VIP' traders were forewarned of $4 billion settlement penalty.

• U.S. Treasury Sanctions North Korean Cyber Intrusion Group Kimsuky.

• Judge scolds SEC for apparent deception in crypto case, threatens to sanction agency.

Scams

• Twitter Security Self-Audit by Security Alliance.

• Telegram Security Self-Audit by Security Alliance.

• Crypto Phishing Blocklists collection by d0wnlore.

• Analysis of Fake SlowMist Websites by SlowMist.

• Code4rena Twitter account hijacked.

• Reports of an FBI impersonation scam targeting crypto professionals.

• Reports of a scam targeting crypto professionals with malicious repos.

• Safe Wallet scammer steals $2M through 'address poisoning' in one week.

• Hounax scam: Hongkongers who lost HK$148 million to cryptocurrency platform say watchdog warning came too late.

Malware

• CVE-2023-46604 (Apache ActiveMQ) Exploited to Infect Systems With Cryptominers and Rootkits by TrendMicro.

Contests

• Catch the flag competition over RISC Zero by weikengchen.

• Forefy Smart Contract Auditors Space.

• Ethernaut Reforged - customized Foundry environment where devs can create/solve/submit ethernaut challenges without the need for interaction with the Ethernaut CTF website by McCoady.

Media

• TrustX 2023 Recordings.

Research

• DIRP - DEFI Incident Response Playbooks by 0xKoda.

• Threats for UniswapV4 hooksThreats for UniswapV4 hooks by Damian Rusinek (Composable Security)

• Creating Invariant Tests for an AMM Smart Contract by bloqarl.

• An Introduction to Formal Verification Techniques and Tools by secoalba.

• Aztec Multiple-Spend Error Bugfix Review by Immunefi.

• Alchemix Missing Solvency Check Bugfix Review by Immunefi.

• Unveiling the Landscape of Smart Contract Vulnerabilities: A Detailed Examination and Codification of Vulnerabilities in Prominent Blockchains.

• DeFi Security: Turning The Weakest Link Into The Strongest Attraction.

• DeFi Fork Bugs by engn33r.

• Gaming Protocol Fees thread by Dedaub.

• Curve Price Anomalies thread by Dedaub.

• Manipulating Curve price oracle fees thread by Daniel Von Fange.

• Account Abstraction. Auditor’s View by Dmitri Zakharov (MixBytes).

• A Review on Cryptocurrency Transaction Methods for Money Laundering.

• How a quant sniped millions from Bitcoin Ordinals by Protos.

• DAO Decentralization: Voting-Bloc Entropy, Bribery, and Dark DAOs.

• Applied Politics For Crypto by sambacha.

Tools

• SEAL: Drill Template - tools that the SEAL Chaos Team uses to coordinate drills with protocol teams.

• Solana PoC Framework by Neodyme.

• eBurger - Visualize Solidity Smart Contracts by forefy.

• EVMole - Extracts function selectors from EVM bytecode, even for unverified contracts by cdump.

• URL Hash Storage Contract - Solidity smart contracts used to store and verify MD5 hashes of websites to prevent DNS hijacks. Developed by 0xKoda.

• Gambit - Solidity mutation testing tool by Certora.

• Etop - like htop for Ethereum. Offers visibility into what’s happening on chain.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content