An interesting case study on vulnerability disclosure. CertiK announced a critical remote code execution vulnerability in OKX iOS Wallet on the same day the patch became available. How long does it take for Apple users to apply a patch? Let’s take Safari browser as an example. Safari 17.2 was released on December 11 which also includes a patch for an arbitrary code execution vulnerability. Weeks later only 1.23% of users installed the update while 39.22% of users continue running Safari 17 from September 18. According to Mandiant, “One Day” exploitation occurs in about 9 days following the patch release and disclosure. Unfortunately, only the most diligent users are likely to install app updates in this timeframe leaving the rest vulnerable.

Unlike smart contracts bugs which can be patched and disclosed quickly, client-side patching requires significantly more finesse when balancing user risk, criticality and likelihood of exploitation. What happened instead is OKX rushing to urge users to install the update following CertiK’s disclosure of the vulnerability a few hours earlier. Announcements were at odds as to whether or not they affect users’ funds further indicating lack of coordination. Kudos to CertiK for finding and reporting the vulnerability. A much better approach would have been to coordinate with OKX to promote the upgrade, watch backend stats for the majority of users to install it as noted by Tay, and then make a joint announcement referencing OKX’s post and not the other way around. What do you think?

Just a couple of DeFi exploits this week for a total of $200,000 with relatively rare exploitation vectors. Transit Finance exploit involved a specially crafted transaction with a forged pool parameter while Pine Protocol suffered from sharing the same pool address. You can find detailed writeups and PoC code in the premium section.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• OKX urges critical update after wallet bug disclosed.

• Hack Hauls Halve From 2022 by TRM.

• DeFi’s billion-dollar secret: The insiders responsible for hacks.

• Curve Finance to disburse $49M in compensation to hack victims.

• bloXroute MEV Relays to reject blocks with OFAC transactions.

Crime

• Ian Freeman Sentenced to 8 Years in Prison for Operating a Bitcoin Money Laundering Scheme.

• Do Kwon extradition approval canceled by Montenegro court.

• Kodex Says Binance Law Enforcement Panel Access Sale is a 'Scam'.

• FBI develops decryptor for BlackCat ransomware, seizes gang's website.

• Defiant BlackCat Gang Stands Up New Site, Calls for Revenge Attacks.

• Insomniac Games Breaks Silence on 'Extremely Distressing' Bitcoin Ransom Hack.

Phishing

• From Google to X Ads: Tracing the Crypto Wallet Drainer’s $58 Million Trail by Scam Sniffer.

• Crypto scammers abuse Twitter ‘feature’ to impersonate high-profile accounts.

• Meta pleads not guilty to recklessly handling crypto scam ads.

Policy

• SEC ‘deeply regrets’ errors in crypto case, asks judge to waive sanctions after misleading statements.

Media

• Advanced Fuzzing and LLM Integrations into Security Practices by Fuzzland.

• Scraping Bits by DeGatchi - #35: From Securing Smart Contracts To Optimism's L2 Rollup - Ft. Maurelian

• Web3 security trends with Immunefi, Spearbit, and Velodrome.

Research

• Uncovering and Resolving a Cross-Site Scripting Attack in a Popular Wallet Protocol by CertiK.

• On Decoding Raw EVM Calldata by Jonathan Becker.

• Formal Verification In Practice: Halmos, Hevm, Certora, and Ityfuzz by Secoalba.

• Confession about fuzzing by Pavel Kondr (Pessimistic Security).

• ZK-SNARKS & The Last Challenge Attack: Mind Your Fiat-Shamir! by OpenZeppelin.

• Secure Implementations & Vulnerable Integrations in Smart Contracts: ERC-2771 Crisis Management by OpenZeppelin.

• Compound Case Study: How Compound Secures its Protocol and Users by OpenZeppelin.

• How OpenZeppelin Foiled a Catastrophic Hack in a Compound Wargame Simulation by OpenZeppelin.

• SoK: Security of Cross-chain Bridges: Attack Surfaces, Defenses, and Open Problems.

• Post-Mortem Report: Sequencer Downtime and L1 Gas Pricing Issue by Arbitrum Foundation.

Tools

• Tealer - a static analyzer for Algorand’s Teal code by crytic.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content