BlockThreat - Week 1, 2025
Fx Protocol | Sora | PumpTokenFactory | Tangem | 98 | StakeOM | BNPL
Happy New Year!
At the start of the year, there were only a few minor incidents, all resulting in losses under $300K. Fx protocol made a costly mistake when calculating rewards for the ever increasing wstETH asset that cost them $125K. However, the most notable case involved the PumpTokenFactory, which deployed flawed token template code. This vulnerability led to a series of price oracle exploits affecting Laura, Luke, and other tokens. The incident bears similarities to the GemPad compromise from a few weeks ago, where $2M was stolen through reentrancy attacks targeting multiple factory tokens.
It’s concerning to see these patterns emerge. Hopefully, the crypto ecosystem can avoid the kind of mass exploitation events that plague the Web2 world—such as the persistent vulnerabilities in platforms like WordPress, Drupal, and other low-code/no-code solutions.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
Events
- Remedy CTF 2025. January 24th, 2025.
News
- 2024 Web3 Security Report by CyVers.
- Hack3d: The Web3 Security Report 2024 by CertiK.
- 2024 Q4 MistTrack Stolen Funds Analysis by Slowmist.
- Scam Sniffer 2024: Web3 Phishing Attacks – Wallet Drainers Drain $494 Million
- 2024 Blockchain Security and Anti-Money Laundering Annual Report by Slowmist.
- Man Dies by Suicide After Being Convicted of ‘Rug Pull,’ Family Says. A tragic end to the Undead Apes saga.
Crime
- Tether, Tron and TRM Labs Help Freeze $126 Million in USDT Linked to Crime.
- South African Authorities Arrest Man Accused of Using Bitcoin to Fund Terrorist Activities.
- Do Kwon Extradited To The United States From Montenegro To Face Charges Relating To Fraud Resulting In $40 Billion In Losses.
Policy
- Thread on unredacted OCP 2.0 letters from FDIC by Paul Grewal.
Scams
- Trapped Between Protocols by Rekt.
- 39 Ways You Could Lose Money in Crypto: How to Keep Your Money Safe by Sage D. Young (Unchained).
Malware
- North Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign by dmpdump.
- Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT.
Research
- A Tale of Two Calls: How a Reentrancy Attack Can Take Over Maker's CDPs by Adriro.
- Detecting Financial Bots on the Ethereum Blockchain.
- Collaborative Approaches to Enhancing Smart Vehicle Cybersecurity by AI-Driven Threat Detection.
- An elaborate scheme to acquire a free coffee, Mr. X pays his barista in New York with a bitcoin transaction (TX1) and simultaneously broadcasts a second bitcoin transaction out of Shanghai (TX2) by Peter R. Rizun.
- How Concentrated Liquidity in Uniswap V3 Works by RareSkills.
- Concentrated Liquidity - Sticky Tick Boundaries by Joran Honig.
Hacks
Tangem Wallet
Date: December 30, 2024
Attack Vector: Stolen Private Keys
Impact: Assets Stolen
References:
https://x.com/UnderCoercion/status/1873935870778368040
PumpTokenFactory: Laura, Luke, dEGG
Date: January 01, 2025
Attack Vector: Price Oracle Manipulation
Impact: $65,000
Chain: Ethereum
References:
https://x.com/TenArmorAlert/status/1874455664187023752
https://x.com/TenArmorAlert/status/1874458584727396529
https://x.com/TenArmorAlert/status/1874464390835216768
https://nickfranklin.site/2025/01/08/laura-token-exploit/
Exploit:
https://etherscan.io/tx/0xef34f4fdf03e403e3c94e96539354fb4fe0b79a5ec927eacc63bc04108dbf420
https://etherscan.io/tx/0xcc134294bec0f6713bac929c595f612c35555d06f8801a024725c12254f6afcf
https://etherscan.io/tx/0xd7ca224fb6391c83cee3e2a3254f8740c7850d566908a417f30ce6e4ff820dc8
https://etherscan.io/tx/0xc5fdf77a54d3a4eeb7172a8cca1022a10aeff65344b7eb624e0dbcb719610aa0
https://etherscan.io/tx/0xa5f365589846eb1c8fb46f1fc3b76972d7fdcc832f5071b8efab2ec028c63437
BNPL
Date: January 03, 2025
Attack Vector: Price Oracle Manipulation
Impact: $14,200
Chain: Ethereum
References:
https://x.com/TenArmorAlert/status/1875372390420521196
Exploit:
https://etherscan.io/tx/0x1290fc4d6606367c3cdf96dbc28fffefa6755d02dec636366f5c0c095b835a00
StakeOM
Date: January 04, 2025
Attack Vector: Function Parameter Validation
Impact: $20,000
Chain: BSC
References:
https://x.com/TenArmorAlert/status/1875788933218316549
Exploit:
https://bscscan.com/tx/0x821aa2d08ca5d3733081c8d228cfe9f8f1da7493f31d09a3ac20b8e05851a0d6
98
Date: January 04, 2025
Attack Vector: Misconfiguration
Impact: $28,000
Chain: BSC
References:
https://x.com/TenArmorAlert/status/1875462686353363435
https://x.com/Hermione7812/status/1875712522357240143
Exploit:
https://bscscan.com/tx/0x61da5b502a62d7e9038d73e31ceb3935050430a7f9b7e29b9b3200db3095f91d
Fx Protocol
Date: January 04, 2025
Attack Vector: Incorrect Reward Calculation
Impact: $125,000
Chain: Ethereum
References:
Sora
Date: January 04, 2025
Attack Vector: Reward Manipulation
Impact: $43,000
Chain: Ethereum
References:
https://x.com/TenArmorAlert/status/1875582709512188394
https://nickfranklin.site/2025/01/08/sorra-staking-hacked/
Exploit:
https://etherscan.io/tx/0x6439d63cc57fb68a32ea8ffd8f02496e8abad67292be94904c0b47a4d14ce90d
https://etherscan.io/tx/0x03ddae63fc15519b09d716b038b2685f4c64078c5ea0aa71c16828a089e907fd