Greetings!

Thirdweb disclosed a critical vulnerability in libraries implementing ERC2771 and Multicall that allowed one to impersonate msgSender which effectively breaks every access control check out there. Coinbase NFT, OpenSea and many other projects were vulnerable. It only took a few days for multiple attackers to weaponize this novel attack vector and start targeting vulnerable projects starting with the $190K compromise of Time. However, the prize for the most stolen goes to the KyberSwap exploiter who managed to retrieve $186M worth of HXA coins from the 0xdead address. We should expect to see a spike in similar hacks now that both details of the vulnerability and exploit PoCs are publicly available.

Bearn DAO, Elephant Money, and Venus Protocol were also exploited with more traditional price oracle related issues with total losses exceeding $1.2M.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Bitcoin inscriptions added to the National Vulnerability Database.

• Uranium Finance attacker cashed out $25M worth of ETH on Magic the Gathering cards.

• Tether Freezes 41 Crypto Wallets Tied to Sanctions.

• Hack Hauls Halve From 2022 by TRM.

• Crypto Loses in November 2023 by Immunefi.

Crime

• Do Kwon will be extradited to US by Montenegro Justice Minister.

• UK police return £8 million in bitcoin stolen by chronically ill bed-bound thief.

• Founder of Bitzlato Cryptocurrency Exchange Pleads Guilty in Money-Laundering Scheme.

• Round Rock man steals $600K in cryptocurrency through SIM swapping scheme.

• ‘Fugitive’ Spanish aristocrat behind North Korea cryptocurrency conference arrested.

Policy

• Bipartisan group of senators introduce bill to expand Treasury Department's sanctions powers and provide more resources to address crypto.

Scams

• Analysis of North Korean Hackers’ Targeted Phishing Scams on Telegram by SlowMist.

• Fake MEV bot scam solicited $1.2M from investors.

• Plenty of Phish by Rekt.

Contests

• Blaz CTF 2023 Writeup by Kaiziron.

Media

• Curve Finance - Hacked! by Junion.

Research

• SmartSecHub - Your Gateway to Collective Security Wisdom.

• Report on Certik’s Aptos-Related Bug Bounty by Wormhole.

• Finding a Critical Vulnerability in Astar by Zellic.

• Different parsers, different results by Nnez.

• Introduction to Echidna by All things fuzzy.

• Foundry tips by InfectedCrypto.

• Foundational Security Risk Analysis of Popular DeFi Projects by SlowMist.

• Security system starts with the testing: how to properly battle test your smart contracts by bloqarl.

• Cracks in the Code: Understanding the Vulnerabilities of AMM Protocols by millietez.

• Solana: Jumping Around in the VM by OtterSec.

• Ensuring the Security of Soul-Bound Tokens in Soul Society by Malanii Oleh (Hacken).

• Mitigating the Array Parameter Location Vulnerability in Solidity Smart Contracts by Olympix.

• Airdrops: Giving Money Away Is Harder Than It Seems.

• Understanding Ethereum Mempool Security under Asymmetric DoS by Symbolic Fuzzing.

Tools

• Simbolik Solidity Debugger by Runtime Verification.

• Snip - a fast and simple Metamask Snap security scanner.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content