Greetings!

A well known exploitation pattern has been picking up lately which takes advantage of the arbitrary external call vulnerability. Unlike other smart contract exploits, this one targets protocol’s users who approved their tokens to the contract. Seneca ($6.5M) and Fx Protocol ($5K) were compromised this week using the exploit. Similar compromises happened this year such as Socket ($3.3M), Basket DAO ($107K), and others. Let’s take a look at a sample vulnerable code in the FxUSDFacet contract:

function transferInAndConvert(ConvertInParams memory params, address tokenOut) internal returns (uint256 amountOut) {
[.. snip ..]

if (params.src == address(0)) {
(_success, ) = params.target.call{ value: params.amount }(params.data); // Arbitrary External Call

[.. snip ..]

In the snippet above, the contract can make arbitrary calls to the contract address using parameters specified by the user. Consider the following parameters used in a recent exploit that specify the target contract 0xae7ab9..d7fe84 (stETH):

{

"params": {
"src": "0x0000000000000000000000000000000000000000",
"amount": "0",
"target": "0xae7ab96520de3a18e5e111b5eaab095312d7fe84",
"data": "0x23b872dd000000000000000000000000eb16a13b91579125c9bf5eaf8215f647d7b9778c0000000000000000000000003aa228a80f50763045bdfc45012da124bd0a68090000000000000000000000000000000000000000000000001f8bb663d0c2a9f2",
"minOut": "0"
},
"tokenOut": "0xac3e018457b222d93114458476f3e3416abbe38f"
}

This specially crafted payload will execute transferFrom (0x23b872dd) method on the stETH (0xae7ab9…d7fe84) contract to transfer 2.273 stETH from the victim (0xeb16a1…) to the attacker (0x3aa228…). The only precondition is that the victim approved stETH which the vulnerable contract will now spend. Attackers tend to mass exploit such approvals to drain multiple user wallets with approvals to the exploited contract causing a literal feast for multiple bad actors joining the hack in progress.

PSA for Developers: Avoid arbitrary calls where some or all of the parameters are unfiltered and controlled by callees.

Atlantis Loans compromise from June, 2023 continues draining user accounts almost a year (!!!) after the initial governance hack. However, the bad actors have just stolen $650K worth of wrapped BTC to claim their largest loot yet.

PSA for Users: Proactively revoke approvals from not only compromised, but also abandoned projects which may be used to steal your assets in the future.

The premium section this week contains vulnerability, exploit details, and indicators from 7 compromises netting $15M+ from projects mentioned above as well as Serenity Shield, Smoofs, Shido, and others.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Hackers target FCC, crypto firms in advanced Okta phishing attacks.

• FSB will standardize global incident reporting for institutions with crypto.

Crime

• Do Kwon documents reveal astounding stupidity of his arrest.

• Incognito darknet market is onboarding ETH and DAI as payment methods.

Phishing

• Proxy Attack phishing technique analysis by Blockaid. It is used by drainers to steal funds in a single transaction.

• Wallet Drainer Exploits Numerical Address Bypass Security Alerts by Scam Sniffer.

• Scammers try to steal your ETH using Blast's bridge by Pocket Universe.

• Bypassing Web3 Security Extensions study by Beau.

• CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack by Lookout.

Scams

• How Do Crypto Flows Finance Slavery? The Economics of Pig Butchering.

• Pig Butchering Scams: Last Week Tonight with John Oliver.

• BitForex Website Goes Dark Amid Reported $57M Outflow.

Media

• Unchained - Famed White Hat Hacker Samczsun on How to Improve Crypto Security - Ep. 613.

• Blockfence - Blockchain Security Series 3: Taylor Monahan (Security researcher - Metamask).

• Scraping Bits - #59: Ethereum Client Fuzzing And Merkle-Patricia Trie Optimisation - Ft. MariusVanDerWijden.

• ETH Denver Security Related Talks

  • Inside DeFi's SEAL 911 Team | Niv Yehezkel , Michael Lewellen - Hexagate, OpenZeppelin.

  • You Can't Scale Web3 w/o Better Onchain Security | Ido Ben-Natan, Nadav Hollander & Taylor Monahan.

  • Fuzz Invariant Testing: What Is It and How Can It Help You? | Chris Smith - Independent Contractor.

  • What Happens if a MEV-Boost Relay Goes Rogue? | Auston Sterling - Aestus Relay, EVMavericks.

  • Zen & the Art of Wallet Security: How to Not Get Hacked | Daniel Chong - Harpie.

  • Ascending Security: The New Frontier of Application Security With EigenLayer | Sam Glenn - Drosera.

  • Mastering Web3 Security Using AI | Tamaghna Basu - DeTaSECURE.

  • Heist Movies and the Evolving Layers of Web3 Security | Slay Huff - CUBE3.

  • Frontrunning Hacks: Bound to Become Irrelevant | Odysseas Lamtzidis - Phylax.

  • Web3 Crisis Comms Controlling Narratives When Sh*t Happens | Victoria Calmon - Mento Labs.

  • Sequencer-Level Security (SLS) in Zircuit | Martin Derka - Zircuit.

  • A Developer's Guide to Self-Auditing | Joe Van Loon - Audit Wizard.

  • How to Secure 12 Words on the Internet | Asta Li - Privy.

  • Implementing Compliance for DeFi | Abdul Rahman.

  • From Sick to Secure: How Remedy Is Curing Web3 | Ruben Muradyan - OneGuard LLC.

  • Security & Trust Assumptions for Evaluating Non-Custodial Wallet Providers| TJ Connolly - Fireblocks.

  • The C4 CryptoCurrency Security Standard (CCSS) | Marlene (DeployOpen) Petri Basson, and Jake Silzer.

Research

• Riverguard: Fishing for Loss of Funds in the Stream of Solana Transactions by Neodyme.

• Learning by Breaking - A LayerZero Case Study Part 1 2 3 by Trust Security.

• When try, try, try again leads to out-of-order execution bugs by Trail of Bits on pitfalls of using retryable transactions in Arbitrum Nitro.

• Web2.5 Security by Omar Ganiev (Decurity).

• EVM from Scratch book by shafu0x.

• Modeling and Analysis of Crypto-Backed Over-Collateralized Stable Derivatives in DeFi.

• Analyzing Games in Maker Protocol Part One: A Multi-Agent Influence Diagram Approach Towards Coordination.

• SoK: Cryptocurrency Wallets -- A Security Review and Classification based on Authentication Factors.

• On Defeating Graph Analysis of Anonymous Transactions.

• Time-Restricted Double-Spending Attack on PoW-based Blockchains.

• ZK Proofs ELI5 book by The Matter Labs.

• Uniswap resources by Sabnock01.

• The Hitchhiker’s Guide to Online Anonymity.

Tools

• Glider: Revolutionizing Web3 Auditing and Security Analysis.

• Napalm getting started guide.

• Online ABI Encoder by HashEx.

• BALLS - A DSL for generating optimal EVM bytecode by Philogy.

• lazy-etherscan - Simple Terminal UI for the Ethereum Blockchain Explorer by woxjro.

• Verifier Alliance - an ecosystem collective aiming for easy, unified and open access to the source code of EVM smart contracts.

• Gaslite Core Repository - Hyper optimized smart contracts for every day use cases by PopPunk.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content