BlockThreat - Week 49, 2022
Lodestar | Minswap | Arbitrum | OnlyFans | Tornado Cash
Greetings!
A relatively quiet week with just a single major exploit for $6.5M with the good ole’ price oracle manipulation exploit. This week also featured a curious transaction ordering exploit on the Cardano network along with an Arbitrum bridge vulnerability reported by tincho. Indicators are in the premium section as always.
Weeks like these are great to decompress a bit and enjoy a wide collection of excellent research papers, trainings, and even a Tornado Cash documentary. Enjoy.
News
Joseph Van Loon v. Treasury lawsuit has Treasury admitting it lacks sufficient information to respond to the latest complaint.
Florida Man Sentenced To 18 Months For Theft Of Over $20 Million In SIM Swap Scheme.
Eight Months After Hydra Shutdown, New Russian-language Darknet Markets Are Filling the Void.
DEV-0139 launches targeted attacks against the cryptocurrency industry using malicious Excel documents with embedded macros.
BSV Introduces asset confiscation method in its latest fork.
More reports surface of a possible 3commas API key leak.
Scams
On-chain analysis of an NFT rug pull involving an OnlyFans model by OKHotshot. Interestingly the subject of the analysis responded with a series of DMCA takedowns against anyone mentioning the scam on Twitter.
Metallica issues crypto scam alert before t72 Seasons album launch.
Hacks
On December 6, 2022 Option Room lost $150K likely due to private key compromise.
On December 7, 2022 BNB-AES Pool was exploited with a price oracle manipulation exploit for $66K. Interestingly the attacker was involved with the Ankr compromise earlier this month.
On December 10, 2022 Minswap detected an ongoing front-running attack exploiting default transaction ordering by hash on Cardano network.
On December 10, 2022 Lodestar lost $6.5M due to a price oracle manipulation vulnerability.
Vulnerabilities
Message traps in the Arbitrum bridge by tincho.
Contests
Secureum Bootcamp - RACE #12 Of The Secureum Bootcamp Epoch∞ by patrickd.
Media
The War On Code - Investigating the Tornado Cash Sanctions and the Arrest of Alexey Pertsev
Zero Knowledge Proofs Class 1 2 3 4 5 6 by Porter and notes by Santiago Palladino.
yAcademy - Block IV - ETH TXN Explorer and VSCode Extension by samczsun.
yAcademy - Block IV - Audit like you mean it by tincho.
yAcademy - Block IV - Initiation to Audits by Joran Honig.
The State of Bridge Security with Immunefi & LI.FI.
Research
How Forta’s Predictive ML Models Detect Attacks Before Exploitation.
Hybrid fuzzing: Sharpening the spikes of Echidna by Trail of Bits.
Sybil tools revealing - Good work requires sharp tools by X-explore and WuBlockchain.
Dissecting Ethereum delegated staking from a security perspective — Part 1 by Coinspect.
Smart Contract Auditing Heuristics by OpenCoreCH.
Learn EVM Attacks exploit collection by coinspect.
Blockchain Security Audit List by 0xNazgul.
Security and Privacy directory by Sov.
Move Audit and Move Prover by Beosin.
Crossing the Bridge by Redefine.
EVM Contract Construction by Tal.
Rust, Realloc, and References by OtterSec.
Accessing Private Data in Smart contracts by QuillAudits.
Smart Contract Security Education Plan by pashov.
Tools
abi-guesser by samczsun.
Threat Hunting and Tracking tool list by SentinelOne.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.