Hey friends!

More than $5.4M were stolen from various DeFi projects this week. dForce Network was hit particularly hard with a relatively new read-only reentrancy exploit. On the bright side, web3 sleuths got a lot better at identifying attackers and forcing these “whitehats” to return stolen assets. Both dForce and SperaxUSD from last week got their stolen assets back! Attackers seemed to have written an auto-pwner for a few common vulnerabilities which is currently wreaking havoc on BNB Chain.

In other news, one of Bitzlato exchange’s founders was detained in Russia and congratulated quickly released. Wormhole attackers are going full degen and leveraging up with liquid staked ETH.

Webaverse got hit with a mysterious social engineering attack which stole private keys along with $4M in USDC by taking a picture of a Trust Wallet balances.

Stay safe out there and avoid meeting with unknown investors in hotel lobbies. Let’s dive into the news, but first some wild stats on last years exploits from our friends at Chainalysis that hopefully inspire you to join to the good fight!

2022: The Biggest Year EVER(!) for Crypto Hacking

Last year, $3.8 billion was stolen from crypto hacking, primarily from DeFi protocols and by North Korea-linked attackers. Hacking activity ebbed and flowed throughout the year, with huge spikes in March and October, the latter of which became the biggest single month ever for cryptocurrency hacking with $775.7 million stolen in 32 separate attacks.

What platforms were most affected? What role did North Korea-linked hackers play?

Get the latest on crypto hacking in 2022 now >

News

• Bitzlato Co-Founder Released After Arrest in Moscow, Pledges Relaunch of Seized Exchange.

• SperaxUSD attackers returned stolen funds after they were identified.

• dForce attacker voluntarily returned all of the stolen assets after their Singapore-based IP address was shared with authorities.

• Wormhole Bridge Exploiter Supplies $46M to Crypto Lending Platform Maker, Buys Wrapped Ether.

• Reports of attackers auto-hacking projects with weak deflationary token and price oracle handling on BSC and ETH chains.

Scams

• NameCheap's email hacked to send Metamask, DHL phishing emails.

• Crypto project Webaverse hacked for $4M in a hotel lobby. This was not the first time the gang hit crypto entrepreneurs.

• Analysis of Monkey Drainer NFT Phishing Group by SlowMist.

• Crypto phishing campaign exploits Twitter’s content preview flaw by SlowMist.

Hacks

• On February 7, 2023 LianGo lost $1.62M due to private key theft.

• On February 7, 2023 CoW Swap Protocol was relieved of $166K after a combination of malicious contract approval and a lack of function access controls allowed attackers to drained all approved tokens.

• On February 9, 2023 SushiSwap BentoBoxV1 was targeted in a price oracle manipulation attack which resulted in a $26K loss.

• On February 9, 2023 dForce Network lost $3.65M after it was exploited with a read-only reentrancy vulnerability. Stolen assets were returned after the attacked was identified.

Vulnerabilities

• Infinite minting vulnerability discovered in BNB Chain and disclosed through responsible disclosure process by Felix Wilhelm, Jump Crypto.

• Critical vulnerability discovered in OneKey hardware wallet which allows one to recover the stored mnemonic key.

• DookeyDash exploitation and botting.

Malware

• Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs by TrendMicro.

Contests

• Bountiful Round #2.

Media

• Fuzzing Solidity/Ethereum Smart Contract using Foundry/Forge by Patrick Ventuzelo.

• $1mln - Generating ETH from thin air - Aurora rainbow bridge withdrawal logic bug.

• 0xleastwood: Spearbit Lead Security Researcher talks Web3 Security and Smart Contract Auditing by Andy Li.

• DeGatchi on Reverse Engineering and MEV - Devs Do Something 26.

Research

• Analyzing transactions on Sinbad BTC tumbler used by North Korean attackers by ErgoBTC.

• I See Dead Code - What if I told you that over one-third of recently-deployed Ethereum smart contracts consist mostly of unusable junk? by Sifis Lagouvardos (Dedaub)

• OnChain Transaction Debugging - Lesson 6: Write Your Own PoC (Reentrancy) by DeFiHackLabs.

• Breaking Fluidity for glory and $50K by Trust in Distrust.

• First Deposit Bug in CompoundV2 by Akshay Srivastav.

• How to hack into NFT marketplace by Alex Horlan, Hacken Proof.

• Balancer Logic Error Bugfix Review by Immunefi.

• How to Submit Bug Reports That Get Paid by Immunefi.

• Lesson 1: Smart Contract Audit Methodology & Tips by SunWeb3Sec.

• Modular MEV; Part 1—The Introduction by Maven11.

• A beginner's intro to coding zero-knowledge proofs by Santiago Palladino.

• Introduction to Zero-Knowledge Proof Part 1 by Numen.

• Symbolic testing with Halmos: Leveraging existing tests for formal verification by Daejun Park, a16z.

• Solidity Coverage in VS Code with Foundry by Devan Non.

• Querying internal smart contract parameters with Foundry by Apoorv Lathey.

Tools

• ABI Tools - Transaction calldata decoder by samczsun.

• Bytegraph - Smart-Contract Analysis Tool.

• Erigon-DB - Fully typed access to the Erigon database in rust.

• vEVM - on-chain gasless arbitrary bytecode execution engine.

• EigenPhi Transaction Analyzer.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content

Indicators

LianGo Attackers

BSC: 0x621fefc5eb903c20b82e5d537056807b51d7a8d4
BSC: 0xcb65d000ec8ee9cb74d9b4ffb8e6ff36eca166ae