BlockThreat - Week 7, 2023
Platypus | Dexible | Dookey Dash | Zero Transfer Phishing
If you’ve been following the newsletter for some time you already know that there is never a dull week in blockchain security. The Platypus hack was a real rollercoaster that started with a $9m theft by an inexperienced attacker which ended up locking up most of it. The wild part comes in with BlockSec team swooping in with a counter hack to recover some of the assets. It’s always impressive to watch the good folks operate on this new frontier giving hope during hard times!
Dexible and Revert Finance were exploited with router injection vulnerabilities resulting in $2m+ losses to users who approved their funds to these contracts. All of the indicators are in the Premium section as always.
In other news the Chainalysis 2023 crypto crime report finally dropped which you should definitely check out while along with multiple reports of $7m+ in hacked funds frozen on exchanges.
Oh and be sure to check out a three part investigation blog series by Heidi Wilder and myself exploring the damning zero transfer phishing attack and perpetrators behind one of the campaigns in the Scams section.
Let’s dive into the news, but first some encouraging stats darknet market revenues from our friends at Chainalysis!
Darknet Market Revenue Fell ~50% 2022
Why? Hydra controlled 93% of the illicit market. And when they went down, so did darknet market revenue. But that didn’t stop other shops from attempting to capture market share and fight for users in the wake of the Hydra shutdown.
In our latest crime report preview, we examine how drug buyers and illicit users transitioned to other darknet markets, and where potential Hydra vendors and admins may have migrated.
Zero Transfer Phishing - Part 1 - Attack Analysis by Heidi Wilder and Peter Kacherginsky.
Zero Transfer Phishing - Part 2 - Phishing Campaigns by Heidi Wilder and Peter Kacherginsky.
Zero Transfer Phishing - Part 3 - Hashlinked by Heidi Wilder and Peter Kacherginsky.
Loyalist: $4m stolen from over 400 victims by ZachXBT.
On February 16, 2023 Platypus lost $9m due to a logic error when handling withdrawals with borrowed assets. In a series of bizarre twists attacker failed to implement a withdrawal function in their exploit contract effectively freezing most of the stolen assets, got hacked by the BlockSec team which recovered $2.4m USDC, and also got doxxed by none other than ZachXBT. Overall a happy end to a very sloppy hack.
On February 17, 2023 Dexible lost $2m due to insufficient validation of user supplied router parameter. The exploit primarily affected platform’s users such as BlockTower Capital which lost $1.5m of the above.
On February 18, 2023 Revert Finance lost $29k due to insufficient parameter validation which allowed attackers to inject a malicious router.
Beanstalk Logic Error Bugfix Review by Immunefi.
EIP4337Manager selfdestruct vulnerability by taek lee.
Dookey Dash - Deep dive into the sewer by cmichel.
Sewer Pass Flash Claim Vulnerability by BendDAO.
Logic Error Bug Fix Review by Balancer Labs.
Solidity Integer Overflow & Underflow by Neptune Mutual.
Invariant Testing WETH With Foundry by horsefacts.
Entering the Huff Ecosystem by merkleplant.
Dissecting Ethereum delegated staking from a security perspective — Part 2 by Coinspect Security.
Security Checkpoints for EIP-4337 Based Account Abstraction Implementation by Fairyproof Tech.
The ‘U Up?’ Files With Joran Honig by Immunefi.
Keep reading with a 7-day free trial