BlockThreat - Week 50, 2023
Ledger | OKX | Flooring | Aurory | Hypr | Peapods |
As the cryptocurrency market recovers so is the renewed interest by attackers to steal anything that is not bolted down. More than $7,000,000 was stolen this week in seven incidents ranging from private key theft to mass Dapp compromises. Let’s explore some of the more interesting cases.
The Ledger Connect NPM package was compromised, leading to $600K+ losses from users’ wallets. The hack affected users of RevokeCash, PancakeSwap, SushiSwap, Zapper, Harvest, and other DeFi projects. The initial attack vector was a targeted phishing attack against a former Ledger employee leading to NPMJS account compromise. Angel Drainer, the threat actor responsible for the attack, has employed similar tactics in other compromises targeting Balancer, Galxe, Frax, Velodrome, and other projects. This incident raises many questions about the state of Ledger’s corp and infra security. Why was a former employee allowed to publish official Ledger packages? Why was a single person allowed to publish to production? What is the review process? Are there any endpoint security and authentication controls? What measures exist for package version freezing, security scanning, and monitoring?
Bridge hacks are back! Hypr bridge reinitialization bug was exploited to steal $334K, and another $830K was stolen from Aurory SyncSpace bridge on Arbitrum.
Reentrancy vulnerabilities continue to persist. NFT Trader and Peapods Finance were hit this week, losing $3,000,000 and $230,000 respectively. What's more interesting about both of these hacks is the involvement of whitehats in helping recover funds in unique ways.
The NFT Trader hack is a good case study of how whitehats should act. We could watch a live X thread of 0xfoobar and Fade brainstorming and instructing the project on a way to disable an unpausable contract to prevent further theft. NFT Trader applied the patch, and all of the copycat attacks immediately stopped. Both whitehats worked with the victim and did not execute any unauthorized actions. Kudos!
The Peapods Finance case couldn’t be more different. The attacker rationalized proactively hacking the project due to the simplicity of the exploit and their inability to reach project’s owners. During the hack, they raised a lot of red flags such as using FixedFloat, swapping stolen assets to ETH, on-chain “whitehat” messages, etc. To make things worse, the exploit went over public mempool, exposing it to MEV bots and copycats. Following the attack, ZachXBT quickly doxxed the attacker a few impacting the whitehat’s safety and reputation.
These two unique cases hold many lessons for future whitehats. Regardless of good intentions, taking unilateral action can move markets, accidentally lock up funds, alert copycats, anger and scare the very people you are trying to help. May be we should follow an agreed upon guideline such as the one proposed by Composable Security to avoid unnecessary stress and jail time. Also, reach out to Seal 911 to get help finding the right contact and to execute whitehat hacks safely. I know that feeling of rush when staring at a working exploit, but that’s just the time to take a breath and do the right thing.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
You can read more about the fascinating compromises mentioned above as well as OKX DEX private key theft and the massive $1.6M Flooring Protocol hack in the premium section, but for now let’s dive into the news!
Cyfrin Updraft launched. A free smart contract security training resource by Patrick Collins, Tincho, JohnnyTime, Owen Thurm, Pashov, and many others.
IRS published top 10 cases of 2023 featuring a number of crypto cases.
Ex-Amazon engineer pleads guilty to hacking crypto exchanges. Shakeeb Ahmed admitted to compromising Nirvana Finance and Crema Finance on Solana for $3.5M and $8.5M respectively.
Reports of an actively exploited account impersonation bug in Twitter/X.
A Darknet Investigation into Ver.ae by Breadcrumbs.
Risks on CEX’s Confirmation Number on Arbitrum and Optimism by ChainLight.
A Tale of Little Bugs by Kostas Chatzikokolakis (Dedaub).
Halting the Cronos Gravity Bridge by Faith.
ZK-SNARKS & The Last Challenge Attack: Mind Your Fiat-Shamir! by OpenZeppelin.
LavaMoat and the Ledger Software Supply Chain Attack by Kumavis (Metamask).
Smart Contracts & Incident Response: Insight on Current Mechanisms by Casey Erikson (OpenZeppelin).
Incident Response: Stop Loss of Funds with an Organized Approach by Casey Erikson (OpenZeppelin).
Smart Contract Security Field Guide by Dominik Muhs.
Web3 Security Wiki by Tigran Piliposyan
A deep dive into the main components of ERC-4337: Account Abstraction Using Alt Mempool — Part 3 by Antonio Viggiano (Oak Security).
How To Hack Smart Contracts: Choosing The Path Between Attack & Defense by Malanii Oleh (Hacken).
Arbitrum Sequencer Outage RCA by Neville Grech (Dedaub).
Rivet - a developer Wallet & DevTools for Anvil by Paradigm.
EVM Debugger by Rumble Fish.
POCtoUS by InspexCo is a script that aims to help create an environment for analyzing a transaction on the blockchain by leveraging the power of an incredible tool, Foundry.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.