Greetings!

The mystery behind the $477m FTX compromise in November of 2022 may have been solved. According to the recent DoJ indictment, the theft occurred as a result of a SIM-swap attack used to bypass 2FA. That’s $477m accessible by a single compromised employee and guarded by an SMS 2FA. Wild, but unsurprising given what we know about the state of FTX security before its collapse!

A massive private key compromise of Ripple’s Chris Larsen resulted in the theft of $112.5m. Siphoning of funds lasted for more than 11 hours and was later noticed by ZachXBT a day later. Binance was able to save $4.5m, as the stolen funds quickly moved to various exchanges.

A concerning trend is emerging around rounding error exploits. Starting with the $851k Hope Lending hack in October, 2023, there was a new hack involving this attack vector almost every other week. Channels ($320k), Radiant ($4.5m), Channels again ($250k), Wise Lending ($464k), and now Abracadabra ($6.5m).

In fact, if we look at the updated Top 10 DeFi Exploitation Vectors list so far this year, Rounding Errors is now prominently occupying number 2 slot right after Stolen Private Keys and above the traditional Price Oracle Manipulation attack vectors:

1. Stolen Private Keys - 5 - $27.2m

2. Rounding Errors - 4 - $11.7m

3. Price Oracle Manipulation - 4 - $8.1m

4. Arbitrary External Calls - 4 - $3.5m

5. Function Parameter Validation - 1 - $3.3m

6. Reward Manipulation - 4 - $239k

7. Insufficient Function Access Controls - 2 - $323k

8. Reentrancy - 2 - $310k

9. Misconfiguration - 1 - $60k

10. Spear-phishing - 1

PSA: DeFi developers and auditors should add rounding errors to your top exploitation vector checks.

This week also featured a number of smaller compromises not more than $100k each. It’s as if someone is systematically sweeping all chains for the most obvious exploits like an exposed delegatecall or a weak reward calculation logic.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

In other news, deepfakes are getting more realistic already tricking someone in TradFi to send $25m. Be on the lookout for high quality deepfakes hitting crypto soon!

Let’s dive into the news!