BlockThreat - Week 6, 2023
dForce | CoW Swap | SushiSwap | SperaxUSD | NameCheap | Bitzlato
More than $5.4M were stolen from various DeFi projects this week. dForce Network was hit particularly hard with a relatively new read-only reentrancy exploit. On the bright side, web3 sleuths got a lot better at identifying attackers and forcing these “whitehats” to return stolen assets. Both dForce and SperaxUSD from last week got their stolen assets back! Attackers seemed to have written an auto-pwner for a few common vulnerabilities which is currently wreaking havoc on BNB Chain.
In other news, one of Bitzlato exchange’s founders was detained in Russia and
congratulated quickly released. Wormhole attackers are going full degen and leveraging up with liquid staked ETH.
Webaverse got hit with a mysterious social engineering attack which stole private keys along with $4M in USDC by taking a picture of a Trust Wallet balances.
Stay safe out there and avoid meeting with unknown investors in hotel lobbies. Let’s dive into the news, but first some wild stats on last years exploits from our friends at Chainalysis that hopefully inspire you to join to the good fight!
2022: The Biggest Year EVER(!) for Crypto Hacking
Last year, $3.8 billion was stolen from crypto hacking, primarily from DeFi protocols and by North Korea-linked attackers. Hacking activity ebbed and flowed throughout the year, with huge spikes in March and October, the latter of which became the biggest single month ever for cryptocurrency hacking with $775.7 million stolen in 32 separate attacks.
What platforms were most affected? What role did North Korea-linked hackers play?
SperaxUSD attackers returned stolen funds after they were identified.
dForce attacker voluntarily returned all of the stolen assets after their Singapore-based IP address was shared with authorities.
Crypto project Webaverse hacked for $4M in a hotel lobby. This was not the first time the gang hit crypto entrepreneurs.
Analysis of Monkey Drainer NFT Phishing Group by SlowMist.
On February 7, 2023 LianGo lost $1.62M due to private key theft.
On February 7, 2023 CoW Swap Protocol was relieved of $166K after a combination of malicious contract approval and a lack of function access controls allowed attackers to drained all approved tokens.
On February 9, 2023 SushiSwap BentoBoxV1 was targeted in a price oracle manipulation attack which resulted in a $26K loss.
Infinite minting vulnerability discovered in BNB Chain and disclosed through responsible disclosure process by Felix Wilhelm, Jump Crypto.
Critical vulnerability discovered in OneKey hardware wallet which allows one to recover the stored mnemonic key.
Fuzzing Solidity/Ethereum Smart Contract using Foundry/Forge by Patrick Ventuzelo.
Breaking Fluidity for glory and $50K by Trust in Distrust.
First Deposit Bug in CompoundV2 by Akshay Srivastav.
How to hack into NFT marketplace by Alex Horlan, Hacken Proof.
Balancer Logic Error Bugfix Review by Immunefi.
How to Submit Bug Reports That Get Paid by Immunefi.
Lesson 1: Smart Contract Audit Methodology & Tips by SunWeb3Sec.
Modular MEV; Part 1—The Introduction by Maven11.
A beginner's intro to coding zero-knowledge proofs by Santiago Palladino.
Symbolic testing with Halmos: Leveraging existing tests for formal verification by Daejun Park, a16z.
Solidity Coverage in VS Code with Foundry by Devan Non.
Querying internal smart contract parameters with Foundry by Apoorv Lathey.
ABI Tools - Transaction calldata decoder by samczsun.
Bytegraph - Smart-Contract Analysis Tool.
vEVM - on-chain gasless arbitrary bytecode execution engine.