BlockThreat - Week 8, 2024
Tornado | LastPass | Jeffrey Zirlin | Blueberry | Compound | Aleo | DeezNutz | GAIN
Greetings!
This was a tough week which resurfaced some of the familiar attack patterns. LastPass users continue getting drained from the mass leak last year. Mass hacking campaigns continued as well targeting inattentive governance DAOs, weak ERC-404 tokens, and any vulnerable abandoned projects with remaining funds.
Jeffrey Zirlin (Axie Infinity) suffered a $9.7M loss due to private key theft. The incident is similar to the massive $112.5M theft from Chris Larsen (Ripple). This marks a trend where malicious actors target personal wallets of high level crypto executives.
Tornado Cash is in the news again where a malicious governance proposal managed to inject JavaScript into one of the front-end IPFS mirrors. This allowed bad actors to collect deposit notes which could be used to redeem deposited assets from the mixer. Both the malicious proposal and registration date of the deposit note collector domain place the compromise around January this year.
We have just discussed the birth of a new counter-hack industry following the White-Hat Safe Harbor Agreement. This week we witnessed an example of how things could work. A well-known MEV bot c0ffeebabe.eth managed to frontrun an exploit transaction worth $1.3M targeting Blueberry. The white-hat hack concluded with the return of vulnerable funds minus MEV fees and a 10% bounty.
The week’s premium section contains detailed incident reports and indicators for the total of 13 incidents this week totaling $30M including compromises above.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.