Greetings!

Security Alliance announced its latest initiative called White-Hat Safe Harbor Agreement. It’s designed to shield white-hat hackers from legal repercussions when proactively saving assets in the midst of a hack while also establishing a reward. Are we about to witness a new field where independent blockchain monitors compete to identify hacks in progress? The initiative brings the light into the dark forest while helping propel the fields of security monitoring and response by leaps and bounds. Imagine intelligent incident bots competing with bad actors to steal funds milliseconds before their exploits land on-chain, hampering attackers’ ability to move and swap funds through automated blocklists, deploying countermeasures to hack back attacker contracts to claw back funds. All of these defensive mechanisms already exist in some form, but could be pushed even further with the right incentives. Kudos, samczsun!

FixedFloat experienced a massive $26m hot wallet compromise across bitcoin and ethereum networks. Attackers took their time to deposit stolen assets to HitBTC and eXch exchanges for days following the hack. The latter is becoming popular among recent compromises. Continuing the trend of hot wallet compromises, Duelbits also suffered a $4.6m loss this week.

A single actor has been attacking Miner, Azuma, Dawn and other projects which implemented the new ERC-404 token standard. Below is a vulnerable code snippet used for token transfers:

function _update(address from, address to, uint256 value, bool mint) internal virtual {

uint256 fromBalance = _balances[from];
uint256 toBalance = _balances[to];

[.. snip ..]
_balances[from] = fromBalance - value;
_balances[to] = toBalance + value; // VULN
}

The from and to balances are cached prior to updating the value in fromBalance and toBalance variables respectively. The logic almost follows OpenZeppelin’s ERC-20 implementation except for the addition of the toBalance variable. Imagine if both from and to addresses are the same, then the toBalance will contain address balance prior to subtraction. When we perform the addition the amount will be credited to the address without first subtracting the value. None of the vulnerable contracts checked that from and to addresses are unique which allowed bad actors to effectively double their balances. Really bad!

In addition to compromises mentioned above, premium section includes details on a total of 11 incidents this week including Game, Particle, Dualpools, Loogn, xPet, and others which resulted in the theft of $31.7M+.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Node vulnerabilities are rare, but can be really devastating. Be sure to check out Felix Wilhelm’s write up on the Ethereum Log Confusion bug in Polygon’s Heimdall in the Research section. This could have been really bad!

In other news Elizabeth Warren went all in on Bitcoin and honored Satoshi Nakamoto. Just kidding, a group of pranksters was just having fun with the automated Capitol Flag Program.

This edition also features an extraordinary amount of fantastic research, new tools, latest phishing techniques, and other happenings in the blockchain security ecosystem so I don’t feel as bad about releasing this a few days late. Enjoy :-)

Events

• EVM Day by ChainLight, Gaslite, Curta on February 29, 2024 at ETH Denver.

• Ethernaut CTF by OpenZeppelin on March 16-17, 2024. $7,000 in prizes.

News

• North Korean hackers now launder stolen crypto via YoMix tumbler.

• Crypto crime reports in South Korea jumped 49% in 2023.

• U.S. Treasury Debunks Narrative That Hamas Relied on Crypto to Fund Terrorism.

• Binance Founder CZ’s Criminal Sentencing Date Postponed to April.

• FTX bankruptcy firm Sullivan & Cromwell tipped for Binance monitor role.

Crime

• Use of Convertible Virtual Currency for Suspected Online Child Sexual Exploitation and Human Trafficking by FinCEN.

• Cop allegedly stole 81 bitcoin from drug dealer’s Trezor wallet.

• Bitcoin money launderer Ian Freeman ordered to pay $3.5 million to romance scam victims.

Policy

• House Hearing on Crypto Crime Highlights the Advantages of Crypto for All Uses, Legal and Illegal. Complete recording here.

• FCA issued 450 alerts against illegal crypto promotions in 2023.

Phishing

• A new phishing technique registers [ethereum_address].eth ENS domains to trick user wallets with autocomplete functionality.

• Angel Drainer stole $400K+ from 128 wallets by using Safe vault contracts to automatically receive “verified” flag on Etherscan.

• Scammers target victims with real crypto in new address poisoning attack.

• Reports of an ongoing Coinbase account reset phishing campaign.

• Reports of an ongoing Uniswap V4 airdrop phishing campaign.

• History of increaseAllowance and its abuse in phishing attacks by Mikko Ohtamaa.

• Explaining a web3 attack vector: Dust attacks by Blockaid.

• Deep-fake of Vitalik used to promote a wallet drainer by CertiK.

Scams

• Beware the Honeypot: How Telegram Channels Used Actors to Promote Scams by CertiK.

• Bot-Driven Wash Trading in Exit Scams by CertiK.

• Valentine's nightmare? Romance scams remain a $1B honeypot for criminals.

• Fake cop scams man out of $9,000 in Bitcoin using caller ID trick.

Malware

• RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers.

• Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer by S2W.

Contests

• PopPunkOnChain's King of the Frame solution by 0xjustadev.eth.

Media

• Live Vulnerability Management: Expert Talk with Michael Lewellen from OpenZeppelin by PatrickAlphaC (Cyfrin).

• sorryNotsorry interview by JohnnyTime.

• Art of Bug Hunting with bahurum by OpenSense.

• EVM & Yul programming course Part 1, 2, 3, 4, 5 by deliriusz.

Research

• Ethereum Log Confusion in Polygon's Heimdall by Felix Wilhelm (Asymmetric Research).

• A Comprehensive Guide to Replay Attacks in Ethereum by Ciara Nightingale (Cyfrin).

• Price Oracle Manipulation Attacks | Full guide with examples by Juliette Chevalier (Cyfrin).

• Hidden GitHub Commits and How to Reveal Them by Neodyme.

• Breaking BFT: Quantifying the Cost to Attack Bitcoin and Ethereum.

• Why Your Code Needs To Be Self-Contained by Sebastian Fabry (OpenZeppelin).

• Restaking Risks : An Empirical Research Thread by Sudipan (Chainrisk)

• The Auditor’s Handbook by Guardian Audits.

• Access Control Security Considerations by Certora.

• Foundry for studying hacks by Daniil Ogurtsov (MixBytes).

• Reth DB direct access for fast on-chain parsing thread by gakonst.

• Guide to using ItyFuzz by secoalba.

• Public Fuzzing Campaigns by Perimeter Security. A comprehensive list of repositories for Echidna, Medusa, and Foundry fuzzing files for various projects.

• Secure key storage when using Jypyter/Colab for on-chain activity (e.g. whitehat efforts) thread by fiddy.

• Fault Proof Deep-Dive Part 1: MIPS.sol by Alexis Williams (OP Labs)

• Proof of Diligence: Cryptoeconomic Security for Rollups.

• Unity is Strength: Enhancing Precision in Reentrancy Vulnerability Detection of Smart Contract Analysis Tools.

• Diving into ERC-7512: Standardizing On-Chain Audit Representation for Ethereum Smart Contracts by Olympix.

• Cloud cryptography demystified: Amazon Web Services by Scott Arciszewski (Trail of Bits).

• A few notes on AWS Nitro Enclaves: Images and attestation by Paweł Płatek (Trail of Bits).

Tools

• Compound precision loss scanner by Decurity.

• 4naly3er - static smart contract code analyzer by Picodes. Now includes 150+ more detectors from Dravee.

• regast - static analyzer for Solidity, built upon regex and ASTs by MiloTruck. Not maintained, but still interesting.

• DNS Monitor by dAppling Network can be used to detect web3 frontend attacks.

• Subsquid plugin for Ape Framework to help with historical data analysis.

• CZIP: EVM Calldata Zip is an engine for compressing and decompressing EVM calldata. If you are familiar with exploit obfuscation/encoding techniques this tool provides for one such use case.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content