BlockThreat - Week 1, 2025

Happy New Year!

At the start of the year, there were only a few minor incidents, all resulting in losses under $300K. Fx protocol made a costly mistake when calculating rewards for the ever increasing wstETH asset that cost them $125K. However, the most notable case involved the PumpTokenFactory, which deployed flawed token template code. This vulnerability led to a series of price oracle exploits affecting Laura, Luke, and other tokens. The incident bears similarities to the GemPad compromise from a few weeks ago, where $2M was stolen through reentrancy attacks targeting multiple factory tokens.

It’s concerning to see these patterns emerge. Hopefully, the crypto ecosystem can avoid the kind of mass exploitation events that plague the Web2 world—such as the persistent vulnerabilities in platforms like WordPress, Drupal, and other low-code/no-code solutions.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

Events

• Remedy CTF 2025. January 24th, 2025.

News

• 2024 Web3 Security Report by CyVers.
• Hack3d: The Web3 Security Report 2024 by CertiK.
• 2024 Q4 MistTrack Stolen Funds Analysis by Slowmist.
• Scam Sniffer 2024: Web3 Phishing Attacks – Wallet Drainers Drain $494 Million
• 2024 Blockchain Security and Anti-Money Laundering Annual Report by Slowmist.
• Man Dies by Suicide After Being Convicted of ‘Rug Pull,’ Family Says. A tragic end to the Undead Apes saga.

Crime

• Tether, Tron and TRM Labs Help Freeze $126 Million in USDT Linked to Crime.
• South African Authorities Arrest Man Accused of Using Bitcoin to Fund Terrorist Activities.
• Do Kwon Extradited To The United States From Montenegro To Face Charges Relating To Fraud Resulting In $40 Billion In Losses.

Policy

• Thread on unredacted OCP 2.0 letters from FDIC by Paul Grewal.

Scams

• Trapped Between Protocols by Rekt.
• 39 Ways You Could Lose Money in Crypto: How to Keep Your Money Safe by Sage D. Young (Unchained).

Malware

• North Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign by dmpdump.
• Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT.

Research

• A Tale of Two Calls: How a Reentrancy Attack Can Take Over Maker's CDPs by Adriro.
• Detecting Financial Bots on the Ethereum Blockchain.
• Collaborative Approaches to Enhancing Smart Vehicle Cybersecurity by AI-Driven Threat Detection.
• An elaborate scheme to acquire a free coffee, Mr. X pays his barista in New York with a bitcoin transaction (TX1) and simultaneously broadcasts a second bitcoin transaction out of Shanghai (TX2) by Peter R. Rizun.
• How Concentrated Liquidity in Uniswap V3 Works by RareSkills.
• Concentrated Liquidity - Sticky Tick Boundaries by Joran Honig.

Hacks

Tangem Wallet

Date: December 30, 2024
Attack Vector: Stolen Private Keys
Impact: Assets Stolen

References:

https://x.com/UnderCoercion/status/1873935870778368040

PumpTokenFactory: Laura, Luke, dEGG

Date: January 01, 2025
Attack Vector: Price Oracle Manipulation
Impact: $65,000
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1874455664187023752

https://x.com/TenArmorAlert/status/1874458584727396529

https://x.com/TenArmorAlert/status/1874464390835216768

https://nickfranklin.site/2025/01/08/laura-token-exploit/

BNPL

Date: January 03, 2025
Attack Vector: Price Oracle Manipulation
Impact: $14,200
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1875372390420521196

StakeOM

Date: January 04, 2025
Attack Vector: Function Parameter Validation
Impact: $20,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1875788933218316549

98

Date: January 04, 2025
Attack Vector: Misconfiguration
Impact: $28,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1875462686353363435

https://x.com/Hermione7812/status/1875712522357240143

Fx Protocol

Date: January 04, 2025
Attack Vector: Incorrect Reward Calculation
Impact: $125,000
Chain: Ethereum

References:

https://medium.com/@protocol_fx_667/post-mortem-managerpool-contract-harvest-vulnerability-196c7cd5b539

Sora

Date: January 04, 2025
Attack Vector: Reward Manipulation
Impact: $43,000
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1875582709512188394

https://nickfranklin.site/2025/01/08/sorra-staking-hacked/