BlockThreat - Week 5, 2023
T-Mobile | Bonq | Orion Protocol | SperaxUSD
Unfortunately my predictions of major hacks dropping a few weeks of quiet were true. Where to begin? T-Mobile was breached, again. The compromise also affects 3rd party providers such as Google Fi and Mint which used their network. So if you their customer, it is now time to change your password and be on the lookout for signs of phone porting. On the DeFi side we had a $120M Bonq exploit which was relying on a cheap to manipulate price oracle and Orion Protocol with a good ole’ reentrancy.
On the more positive side, FBI briefly changed their profile picture with a seized BAYC thanks to the tip by ZachBXT.
Hope you stay safe out there. Let’s dive into the news, but first a really interesting note from our sponsors at Chainalysis on how the bad actors launder stolen assets!
$23.8B in Crypto Laundered in 2022 (up from $14.2B last year 🤯)
Money laundering is critical to all financially motivated crime—it enables criminals to cash out from their nefarious activities without being detected. We’re seeing the majority of laundering activity happen at fiat off-ramps like centralized exchanges, though we’ve also seen a big spike in underground money laundering services touting brand names and sophisticated infrastructure.
T-Mobile hacked to steal data of 37 million accounts in API data breach. The compromise affects other providers such as Google Fi, which already reported sim swaps, Mint Mobile, and others.
On January 30, 2023 Bevo lost $45K in a reward manipulation exploit.
On January 31, 2023 Shredded Apes lost $230K on Solana likely due to private key compromise.
On February 2, 2023 Orion Protocol lost $3M due to a reentrancy vulnerability which allowed attacker to inflate deposited assets.
On February 5, 2023 Degen Millionaires Club lost $18K by deploying a contract with a mint function and no access controls.
How to Foundry 2.0 by Brock Elmore.
Tornado Cash and Blockchain Privacy: A Primer for Economists and Policymakers by FRB of St. Louis.
Awesome Oracle Manipulation by 0xcacti.
2022 Year in Review: Lending Protocols by CertiK.
Exploring Cosmos: A Security Primer by Rajvardhan.
Smart Contract Auditor Study Plan by bytes032.
Openchain Transaction Tracer by samczsun.
BlockFence - Simple Chrome Extension That Explains Smart-Contracts With GPT-3.
Halmos - Symbolic Bounded Model Checker for Ethereum Smart Contracts Bytecode.