Greetings!

Crypto spring is back. Unfortunately that means exploiters, scammers, and other criminal elements are about to refocus their efforts on the blockchain industry. The number of compromises is starting to really pick up going from just 61 in 2023 ‘Q1 to 104 in 2023 ‘Q4. We are still far behind in total value lost from the same quarter last year ($641M vs. $1.37B), but as asset valuations pick up this number will follow. So let’s see what contributed to the above numbers in the last week of 2023.

The year ended with a massive $81M Orbit Bridge compromise. The exploit involved a private key compromise of one of the validators similar to Harmony Horizon Bridge hack. However, it required an additional validation bypass in the withdrawal function to bypass minimum approval threshold. The compromise makes for an interesting case study on monitoring:

• Attacker performed several small test transactions on December 30th and December 31st exploiting the validator bypass vulnerability.

• Mass draining started on December 31st and lasted about 18 minutes.

• The bridge was deactivated one hour after the last exploit transaction.

Some takeaways:

• Early private key compromise may have been caught with traditional “web2” security controls (e.g. endpoint security, secure storage, logging, etc.).

• Early exploitation may have been caught by performing deep analysis on every withdrawal transaction to detect malformed transaction parameters (e.g. threshold validation, signed data verification, etc.).

• Mass withdrawals are easy to detect with a token outflow heuristic, which most likely alerted the team and blockchain monitoring vendors.

• One hour incident response time is pretty good, but it is insufficient to stop/minimize losses. Automatic circuit breakers are a must.

• Attackers like to strike during major holidays, conferences and other events.

The best we can do is take careful notes and continue building a more resilient ecosystem. I hope the above helps.

Speaking of web2 security controls. MongoDB cloud compromise exposed customer names, phone numbers, email addresses, and other customer metadata. According to MongoDB, attackers accessed system logs for at least one customer. The compromise may have contributed to the $250K Thunder Terminal hack which blamed the platform for leaking session tokens leading to a number of unauthorized transfers. The attack has similarities to the JumpCloud incident although bad actors don’t sound North Korean.

PSA: MongoDB customers review and change potentially exposed credentials and session data.

The same week also included a Catalyx hot wallet compromise and a few other avoidable DeFi hacks such as uninitialized contract in Telcoin, price oracle manipulation in Levana and Channels, and a mass NFT theft event in INS NFT. At least we got pretty good at shutting down malicious governance proposals such as the one targeting Annex Finance.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

In other news, SBF will not face the second trial for all of the other shenanigans due to "strong public interest in a prompt resolution". As a member of the public, I am actually interested in just how far campaign fraud went, but it sounds like the government is satisfied with existing convictions.

Oh and be sure to check out Bitconned, a documentary on Netflix on the Centra Tech scam.

See you all in the New Year! Let’s dive into the news!

Events

• Capture the Flag MOVE 2024

News

• MongoDB investigating security incident that exposed data about customer accounts.

• 2023 Global Web3 Security Statistics & AML Analysis by Beosin.

• De.Fi Rekt Report: Crypto Losses reach $1.95b in 2023 by De.Fi.

• Scam Sniffer 2023: Crypto Phishing Scams Drain $300 Million from 320,000 Users.

• Kyber Network axes workforce by 50% one month after $49M exploit.

• How Axie's loss changed the battle against North Korean crypto hackers.

• Kroll reveals FTX customer info exposed in August data breach.

• FindAudit was launched by bytes032. It’s a marketplace for Auditors that hate marketing.

Crime

• Crypto-crook Sam Bankman-Fried spared a second trial.

• Teen believed to be victim of cyber-kidnapping returns safely to Riverdale home.

• Bulgarian Prosecutors Drop Charges Against Crypto Lender Nexo — 'No Evidence of Criminal Activity'.

Policy

• Judge rules Terra ‘stablecoin’ and other tokens are securities in victory for the SEC and departure from Ripple case.

Phishing

• The Rising Threat of Phishing Attacks with Crypto Drainers - Check Point Research by Check Point.

• How Good are Wallet Security Extensions by Feld (Boring Security).

• Compound Labs X account compromised with a link to a drainer.

• Blockchain dev's wallet emptied in "job interview" using npm package.

• Crypto wallet founder loses $125,000 to fake LFG token phishing attack.

Scams

• ZachXBT alleges Gamegear dev 'scaredofboobs' is scammer NFT Machine.

• MegabotETH exit scam results in $742K in losses.

Malware

• Poorly Secured Linux SSH Servers Under Attack for Cryptocurrency Mining.

• New Black Basta decryptor exploits ransomware flaw to recover files encrypted between November 2022 earlier this month.

Media

• Proof Of Podcast by Hake - Bytes: Pressure Makes Diamonds.

• Proof Of Podcast by Hake - Antonio Viggiano: Teach Me How To Fuzz.

• EVM & Yul programming course Part 1, 2, 3 by deliriusz.

• iPhone Thief Explains How He Breaks Into Your Phone.

Research

• DeFiVulnLabs Solidity Security Testing Guide.

• Billion times emptiness by Trail of Bits. On a DoS bugs in common Ethereum ABI libraries including eth_abi, ethabi, alloy-rs, ethereumjs-abi.

• Sui Validator node DOS Bugfix ReviewSui Validator node DOS Bugfix Review by Alex Horlan (Hacken Proof).

• Cryptographic Asymmetry and How To Shut Down A Cosmos-Ethereum Bridge by Maxwell Dulin (Strikeout) and ging3r.

• Awesome Cosmos Security by deliriusz.

• Smart Contract Patterns: The Proxy by noxx.

• Vulnerability Scanners for Ethereum Smart Contracts: A Large-Scale Study.

• GPTScan: Detecting Logic Vulnerabilities in Smart Contracts by Combining GPT with Program Analysis.

• Past Permissions, Present Problems: Analysis of Theft through Authorized Malicious Contracts by SlowMist.

• Interview with a KyberSwap Hacker by OfficerCia.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content