Brief Analysis of TornadoCash Governance Exploit

On May 20, 2023, @TornadoCash suffered a governance attack, in which exploiters took control of the governance of TornadoCash by executing a malicious proposal.

Let's see how it happened:

Exploiters first created the proposal… twitter.com/i/web/status/1… On 2023-05-13 at 7:22 (UTC), exploiters initiated the #20 proposal and explained in the proposal that the #20 proposal is a supplement to the #16 proposal and has the same execution logic.

🚨SlowMist Security Alert 🚨

On May 11th, a user reported a phishing attack leading to the loss of their wallet assets, raising security concerns around permit signatures. This thread is dedicated to understanding the nature of this theft and how we can stay secure.🔐👇

Full… twitter.com/i/web/status/1… The victim reported that they inadvertently clicked on a phishing website (syncswap[.]network) and ended up losing over $100. As insignificant as this may seem, it emphasizes the potential security risks in the blockchain space.🔗

An analysis of the transactions reveals a… twitter.com/i/web/status/1…

🚨SlowMist Security Alert🚨

Recently, there have been a lot of asset thefts caused by shared #Apple IDs. We believe that the key is "apps are not bound to device codes". 1/ This is an issue prevalent in 99% of #wallets, trading apps,and other apps. It's a concern we've voiced a long time ago. However, due to it not being considered in the initial stages of app design, the majority of apps in the market have yet to rectify this issue.

How effective is GPT for auditing smart contracts?

We conducted a series of tests to assess the performance of GPT-3.5(Web), GPT-3.5-turbo-0301, and GPT-4(Web) in detecting vulnerabilities within Solidity smart contracts.

🧵👇 for TLDR
slowmist.medium.com/how-effective-… Test Environment & Methodology:

We utilized simple vulnerability codes and moderately complex vulnerability codes as test cases.

The comparative analysis focused on the three GPT models' ability to identify these vulnerabilities.

On March 13th, 2023, @eulerfinance, a lending platform that operates on the Ethereum blockchain, was attacked, resulting in the attacker making off with over $190 million.

🧵👇 The attacker used flashloans to deposit funds and then leveraged them twice to trigger the liquidation logic, donating the funds to the reserve address and conducting a self-liquidation to collect any remaining assets.

🚨SlowMist Security Alert🚨

On February 10th, the DeFi aggregator platform @dForcenet was attacked, and the attacker made a profit of approximately 3.65 million dollars.

Here is a brief report👇 1/ The attacker first borrowed 69665 WETH through a flashloan and swapped it into ETH, then added liquidity to the wstETH/ETH pool on Curve, earning 65343 wstETHCRV. Then deposited some of the wstETHCRV in the Curve wstETHCRV-gauge, receiving wstETHCRV-gauge tokens.

🚨SlowMist Security Alert🚨

On February 2, the @BonqDAO on the Polygon chain was attacked, the total profit of the exploiter is 113M WALBT and 98.6M BEUR.

Here is a brief report:👇 1/ The key restriction of the TellorFlex price oracle update process must stake 10 TRBs at first. However, the updateStakeAmount function in TellorFlex allows for the required staked amount of TRBs by the oracle to be regularly adjusted based on the value of the collateral.

🚨SlowMist Security Alert🚨

North Korean APT group targeting NFT users with large-scale phishing campaign

This is just the tip of the iceberg. Our thread only covers a fraction of what we've discovered.

Let's dive in On September 4, Twitter user PhantomXSec tweeted that the North Korean APT organization had conducted a large-scale phishing campaign targeting dozens of ETH and SOL projects.

The list of specific domain names is as follows:

https://twitter.com/PhantomXSec/status/1566219671057371136

🚨SlowMist Security Alert🚨

@ankr deployer’s key was suspected to be leaked, and the hacker minted a total of 60 trillion aBNBc. Part of the funds has been cross-chained from BSC to ETH and Polygon. Currently, 900 BNB were transferred to @TornadoCash. 1/ Using our AML platform @MistTrack_io, we can see the hacker interacted with following:

@CelerNetwork
@MultichainOrg
@deBridgeFinance
@1inch
@PancakeSwap
@SushiSwap
@paraswap

🚨SlowMist Security Alert🚨

1/ According to the reports of many victims, transfers of 0 USDT from unrecognized addresses continued to show in the address transaction history of TRON network users, with the "TransferFrom" function being called in each instance. 2/ Clicking on a random transaction to view its details:

This transaction is a call to the function "TransferFrom", which allows the address beginning with TCwd to transfer 0 USDT from the address beginning with TAk5 to an address starting with TMfh.

Following the theft of @boshen1011's personal wallet, we were immediately tasked with the investigation.

We began by conducting an on-chain analysis of the stolen assets and the hackers’ address.

Here's what we found👇

https://twitter.com/boshen1011/status/1595239850596306944

@boshen1011 1/ Reason for theft: Mnemonic words compromise

Wallet used at the time of the theft: Trust Wallet

Amount: 38,233,180 $USDC + 1,607 $ETH + 719,760 $USDT + 4.13 $BTC

Quick 🧵on @FTX_Official Hack

Total stolen so far: $417M

Hackers address on:
ETH / BSC / Avalanche: 0x59ab..d32b
Solana: 6sEk..hSHH

Thread Coverage:
1/Assets Stolen
2/ Swapped / Bridged Funds
2/ Assets Frozen
3/ Platforms Used
4/ Notable Transactions
5/Suspected Whitehats Assets Stolen

We used our @MistTrack_io OpenAPI to examine FTX withdrawals in the past couple days.

Starting on the #TRON network, most funds were sent to Binance, FTX US, and OKX via TYD....tW6. Binance also received the greatest number of deposits from FTX, followed by KuCoin and OKX. Switching over to the ETH network, FTX hot wallet 0x2f...6ad2 transferred most of the funds @binance, followed by @krakenfx and @coinbase .

When it comes to the exchange of choice for withdrawals, most choose Binance, then @Bybit_Official and Kraken.

On November 9, 2022, the brahTOPG project on the ETH chain was attacked, leading to the loss of $89,879.

We conducted an investigation into this incident and these were our findings. 1. The attacker first queries the balance of the victim user 0x392472, and then calls the zapIn function of the Zapper contract.

⚠️SlowMist Security Alert⚠️

The Swap contract for the @Rabby_io wallet is currently being exploited. Please revoke all existing approvals 𝐀𝐒𝐀𝐏.

https://twitter.com/Rabby_io/status/1579819525494960128

On Oct 11, 2022, the Swap contract on @Rabby_io was attacked on the ETH chain. The token exchange function in the contract was directly called externally through the functionCallWithValue function in the OpenZeppelin Address library.

Over half a BILLION dollars worth of $BNB was recently hacked.

The hacker is now trying to spread the funds to every network to launder the funds. Even after spending over ~980K $BNB, they still have ~$1M $BNB

🚨 SlowMist Security Alert🚨

Brief Analysis of New Free DAO Exploit

Early today, our security team detected that New Free Dao, a project on the BSC chain, suffered a flashloan attack.

Here's what happened: 🧵👇 1. The attacker borrowed a large sum of $WBNB from Pancake via a flashloan and exchanged it for $NFD tokens.

2. Transfers the $NFD tokens in step one to the attack contract, which creates a second attack contract to receive the funds.

🚨 SlowMist Security Alerts🚨

Recently, we've seen a new phishing attack against the crypto community. Scammers are currently soliciting victims to participate in beta testing in return for financial compensation.

Here's how it works🧵👇 Typically, scammers will contact victims through Discord or other messaging apps and send over a compressed file.

The file is generally an 800M exe file, once opened, it will scan your computer for files containing keywords such as "wallet" and send them to the scammer.

Week 17 of our "What is Series"🧑‍🎓

What is EVM❓

The Ethereum Virtual Machine (EVM) is a computing engine that can be thought of as a distributed computer with millions of executable applications. While the EVM's representation cannot be pinpointed like a cloud or an ocean wave, it does exist as a whole and is maintained by thousands of interconnected computers each running the Ethereum client.

Going Above And Beyond🙌

We’ve expanded our consulting services to help support #Web3 projects stay secure from A to Z.

Our services will not only include on-chain support such as smart contract auditing but off-chain as well. Web3 services include:

1. Complete Security Analysis
2. On-chain Emergency Response Service
3. Threat Intelligence Sharing (Vulnerabilities&Risks)
4. Product Testing of Security Service (@MistTrack_io, Smart Contract Monitoring)
5. Priority Scheduling of Security Audit Services

Let’s Recap on Some Web3 Incidents This Week
1. @Mysten_Labs Discord Compromised
2. @OptifiLabs Locked 661K $USDC Forever
3. @KyberNetwork Front End Attack
4. Bill Murry's Charity NFT Hacked for $174K
5. @ShadowFi_ Exploited for ~$300K

Details 👇 Event: @Mysten_Labs Discord Compromised

On Aug 27, the official discord account of @Mysten_Labs was compromised. The team strongly urged users to not click on any links posted in the last few hours, but it was already too late for some.

https://twitter.com/Mysten_Labs/status/1563546631269597187