Forwarded from Kotya security (Vlad)
Hello everyone!
I have been actively working with @userw01 on the article lately. In the "Cracks in the Code: Understanding the Vulnerabilities of AMM Protocols" article, we dive deep into the key features of AMM protocols, explore the most popular protocol types, discuss common attack vectors with lots of examples, and provide tips for auditors.
Check out the article here: https://millietez.medium.com/cracks-in-the-code-understanding-the-vulnerabilities-of-amm-protocols-2f5b360e159e
https://mirror.xyz/millietez.eth/ixD3xe-Q7JQowYcIFmGKxkPae_C5tCN9kWn9jXUhnKk
Enjoy the read!
I have been actively working with @userw01 on the article lately. In the "Cracks in the Code: Understanding the Vulnerabilities of AMM Protocols" article, we dive deep into the key features of AMM protocols, explore the most popular protocol types, discuss common attack vectors with lots of examples, and provide tips for auditors.
Check out the article here: https://millietez.medium.com/cracks-in-the-code-understanding-the-vulnerabilities-of-amm-protocols-2f5b360e159e
https://mirror.xyz/millietez.eth/ixD3xe-Q7JQowYcIFmGKxkPae_C5tCN9kWn9jXUhnKk
Enjoy the read!
β€6π3
What is the use of the signextend opcode?SIGNEXTEND performs the necessary sign extension when working with two's complement encoded signed integers in EVM. This allows operations on the values to produce the expected results for both positive and negative numbers. when there are negative numbers in calldata it cost more gas because the minor encoding, checking, arithmetic and comparison differences for negative numbers are why they cost slightly more gas than equivalent positive values. The EVM optimizes for the common case of non-negatives. why an int256 variable that stores -1 look like in hex?-1 stored as an int256 in Ethereum would be represented by the full 256-bit hex value ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff.
In binary, -1 is 1111111111111111111111111111111111111111111111111111111111111111
Converting that binary value to hex, we get:
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Why is it important to ECDSA sign a hash rather than an arbitrary bytes32? hashing first before signing provides critical security properties like preimage resistance, binding signatures to data, canonical encoding and data integrity that direct signing of arbitrary bytes lacks. It's an important step for ECDSA signatures to provide robust cryptographic protection.
@EthSecurity1
In binary, -1 is 1111111111111111111111111111111111111111111111111111111111111111
Converting that binary value to hex, we get:
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Why is it important to ECDSA sign a hash rather than an arbitrary bytes32? hashing first before signing provides critical security properties like preimage resistance, binding signatures to data, canonical encoding and data integrity that direct signing of arbitrary bytes lacks. It's an important step for ECDSA signatures to provide robust cryptographic protection.
@EthSecurity1
β€3β‘1π1
Risks on CEXβs Confirmation Number on Arbitrum and Optimism https://medium.com/chainlight/patch-thursday-risks-on-cexs-confirmation-on-arbitrum-and-optimism-7ee25a1d58bf Post-Mortem Report: Sequencer Downtime and L1 Gas Pricing Issue
https://github.com/ArbitrumFoundation/docs/blob/50ee88b406e6e5f3866b32d147d05a6adb0ab50e/postmortems/15_Dec_2023.md MEV BOOK https://www.monoceros.com/insights/maximal-extractable-value-book
Mev & evolution of crypto exchange
https://archetype.mirror.xyz/DVJFtcEcdTqk4DxC3VX4McgyjfktXF05pCG1LFtB4-E @EthSecurity1
https://github.com/ArbitrumFoundation/docs/blob/50ee88b406e6e5f3866b32d147d05a6adb0ab50e/postmortems/15_Dec_2023.md MEV BOOK https://www.monoceros.com/insights/maximal-extractable-value-book
Mev & evolution of crypto exchange
https://archetype.mirror.xyz/DVJFtcEcdTqk4DxC3VX4McgyjfktXF05pCG1LFtB4-E @EthSecurity1
Medium
Exploring Finality Risks of Ethereum L2 From a CEX Perspective
In this article, we analyze how the transactions of Ethereum Layer 2 chains get finalized and observe the approaches of various CEXs.
β€4π1
Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-novel-ecdsa-attack-and-bitcoin-tears/ Encrypted mempools https://joncharbonneau.substack.com/p/encrypted-mempools @EthSecurity1
Kudelskisecurity
Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears - Kudelski Security Research Center
Mar 06, 2023 - Nils Amiet -
Halting the Solana Blockchain with Epsilon Stake https://tik-old.ee.ethz.ch/file/9d40dad802dd12d9ba1f1b7c1759920c/Solana___ICDCN_24.pdf
@EthSecurity1
@EthSecurity1
β‘1
what is domain separator?
The domain separator helps prevent signature reuse attacks in DeFi protocols by making signatures unique to a particular contract and message type. Here are some more details:
Without a domain separator, a signature could potentially be reused for different messages or contracts. This enables various attacks.
For example, a signature approving a small transfer amount could be reused to approve a large transfer on another contract.Or a signature meant for a benign callback could be reused to trigger funds transfers.
The domain separator binds a signature to a specific contract address and message type.
It is computed from the contract address, a salt value, and the message EIP-712 typehash.When generating a signature, the signer computes and includes the domain separator.When verifying a signature, the contract recomputes the expected domain separator.If the domain separators don't match, the signature is invalid for that context.
This prevents simply replaying a signature on another contract/message type.
Even a tiny change to the contract address, salt, or message typehash invalidates old signatures.
So attackers cannot trivially transfer or forge signatures between contexts.
some potential pitfalls:
Forgetting to specify the domain separator when verifying signatures. This would allow cross-contract/message replay attacks.
Using a constant/hardcoded domain separator value rather than computing it dynamically. This defeats the purpose of making it context-specific.
Not updating the salt value periodically. Over time, old signatures could potentially be replayed on contracts with the same address.
Computing the domain separator incorrectly, such as omitting important components like the contract address. This could again allow reuse across contexts.
Failing to sanitize or validate input values used in domain separator computation. These should not be attacker-controlled.
Setting domain separators on a per-function rather than per-contract basis. This doesn't fully isolate signatures to a single context.
Not accounting for potential metadata like chain/network ID in domain separators. Signatures may not be cross-chain compatible.
Not versioning the domain separator format or hashing algorithm over time. Old styles could be replayed.
Failing to specify expected calldata/function signature when relevant. Signatures for calls are less isolated.
Not regenerating domain separators when upgrading a contract implementation. Old contexts may be accessible.
β
Insufficient entropy or non-randomness in salt values, compromising uniqueness over time.@EthSecurity1
The domain separator helps prevent signature reuse attacks in DeFi protocols by making signatures unique to a particular contract and message type. Here are some more details:
Without a domain separator, a signature could potentially be reused for different messages or contracts. This enables various attacks.
For example, a signature approving a small transfer amount could be reused to approve a large transfer on another contract.Or a signature meant for a benign callback could be reused to trigger funds transfers.
The domain separator binds a signature to a specific contract address and message type.
It is computed from the contract address, a salt value, and the message EIP-712 typehash.When generating a signature, the signer computes and includes the domain separator.When verifying a signature, the contract recomputes the expected domain separator.If the domain separators don't match, the signature is invalid for that context.
This prevents simply replaying a signature on another contract/message type.
Even a tiny change to the contract address, salt, or message typehash invalidates old signatures.
So attackers cannot trivially transfer or forge signatures between contexts.
some potential pitfalls:
Forgetting to specify the domain separator when verifying signatures. This would allow cross-contract/message replay attacks.
Using a constant/hardcoded domain separator value rather than computing it dynamically. This defeats the purpose of making it context-specific.
Not updating the salt value periodically. Over time, old signatures could potentially be replayed on contracts with the same address.
Computing the domain separator incorrectly, such as omitting important components like the contract address. This could again allow reuse across contexts.
Failing to sanitize or validate input values used in domain separator computation. These should not be attacker-controlled.
Setting domain separators on a per-function rather than per-contract basis. This doesn't fully isolate signatures to a single context.
Not accounting for potential metadata like chain/network ID in domain separators. Signatures may not be cross-chain compatible.
Not versioning the domain separator format or hashing algorithm over time. Old styles could be replayed.
Failing to specify expected calldata/function signature when relevant. Signatures for calls are less isolated.
Not regenerating domain separators when upgrading a contract implementation. Old contexts may be accessible.
β
Insufficient entropy or non-randomness in salt values, compromising uniqueness over time.@EthSecurity1
π6β€3
New year start with new loss. Orbit Bridge ~81.5 m $
Happy new year
Happy new year
β‘8π₯5π’2π1
Twice hack 4.5 m$
https://www.theblock.co/post/270080/radiant-capital-reportedly-hacked-eth?utm_source=telegram1&utm_medium=social
@EthSrcurity1
https://www.theblock.co/post/270080/radiant-capital-reportedly-hacked-eth?utm_source=telegram1&utm_medium=social
@EthSrcurity1
The Block
Radiant Capital reportedly hacked for $4.5 million worth of ETH
Cross-chain lending protocol Radiant Capital was hacked for 1,900 ETH, blockchain security firm PeckShield reported on X today.
π₯2π1
EthSecurity
One common vulnerability with the ecrecover function in Solidity is malleability of signatures. ecrecover is used to recover the address that signed a message from an elliptic curve signature. However, signatures in crypto systems like Ethereum are malleable.β¦
ECRecover and Signature Verification in Ethereum https://coders-errand.com/ecrecover-signature-verification-ethereum/
This blog has great articles about cryptography and ZK
And sure watch this
Ethereum yellow paper
https://youtu.be/e84V1MxRlYs?si=ysB4c21fT9Ce024u
@EthSecurity1
This blog has great articles about cryptography and ZK
And sure watch this
Ethereum yellow paper
https://youtu.be/e84V1MxRlYs?si=ysB4c21fT9Ce024u
@EthSecurity1
Coder's Errand
ECRecover and Signature Verification in Ethereum β’ Coder's Errand
This post explains how Ethereum signatures differ from standard ECDSA signatures, and how to use ECRecover to verify them.
π₯2
DYDX exploite post-mortem
https://www.theblock.co/post/270275/dydx-publishes-post-mortem-9-million-november-attack
Gamma protocol is third hack in 2024
https://twitter.com/GammaStrategies/status/1742882840247779453
@Ethsecurity1
https://www.theblock.co/post/270275/dydx-publishes-post-mortem-9-million-november-attack
Gamma protocol is third hack in 2024
https://twitter.com/GammaStrategies/status/1742882840247779453
@Ethsecurity1
The Block
DeFi exchange dYdX publishes post-mortem on $9 million November attack
The decentralized exchange said it has identified the attacker behind the $9 million attack, and it is reviewing legal options.
gamma exploit post_mortem 6.18 m $ loss https://medium.com/gamma-strategies/post-mortem-remediation-plan-9a62f10d90f3 @EthSecurity1
Medium
Post-Mortem & Remediation Plan
Incident Summary
π4β‘1
Forwarded from Rektoff
We are glad to opensource our holistic security strategy for Solana dev teams.
Here is a Systematic Security Roadmap for a full lifecycle of Solana applications.
https://github.com/Rektoff/Security-Roadmap-for-Solana-applications
https://x.com/rektoff_xyz/status/1744771734782263613?s=20
Here is a Systematic Security Roadmap for a full lifecycle of Solana applications.
https://github.com/Rektoff/Security-Roadmap-for-Solana-applications
https://x.com/rektoff_xyz/status/1744771734782263613?s=20
GitHub
GitHub - Rektoff/Security-Roadmap-for-Solana-applications: We are systematizing everything we know about Solana security into oneβ¦
We are systematizing everything we know about Solana security into one structured resource: the Solana Security Strategy. Itβs a field-tested knowledge base for teams building serious products β pa...
β€5
2023 web3security Facts:
83% of protocols hacked in 2023 was audited
56.7% rugpulls happened in BSC
Certik-Peckshield-slowmist- Quantstamp are firms that performed security audits on exploited projects(before exploit).
62% projects compensated after exploit
34% projects audited after the exploits
78% attackers accepted bug bounty
@EthSecurity1
83% of protocols hacked in 2023 was audited
56.7% rugpulls happened in BSC
Certik-Peckshield-slowmist- Quantstamp are firms that performed security audits on exploited projects(before exploit).
62% projects compensated after exploit
34% projects audited after the exploits
78% attackers accepted bug bounty
@EthSecurity1
π9π₯4β‘1π1
Near smart contract security course https://www.youtube.com/playlist?list=PL7Gwuo_MOL740lhKTvouCJvk4sAyuqZqT
Near protocol lay off 50% of staff
ZKP Series: Principles and
Implementation of Extensibility Attacks on Groth16 Proofs https://slowmist.medium.com/zkp-series-principles-and-implementation-of-extensibility-attacks-on-groth16-proofs-aedcd703323a @EthSecurity1
Near protocol lay off 50% of staff
ZKP Series: Principles and
Implementation of Extensibility Attacks on Groth16 Proofs https://slowmist.medium.com/zkp-series-principles-and-implementation-of-extensibility-attacks-on-groth16-proofs-aedcd703323a @EthSecurity1
Medium
ZKP Series: Principles and Implementation of Extensibility Attacks on Groth16 Proofs
Why Groth16 is Vulnerable to Scalability Attacks?
https://cointelegraph.com/news/trezor-discloses-66k-users-affected-phishing-attack
Seems trustwallet used trezor library too. Code suffers randomness issues
Seems trustwallet used trezor library too. Code suffers randomness issues
Cointelegraph
Trezor discloses 66K users affected by phishing attackpost.title.seo-tail
Hardware wallet Trezor has flagged a security breach that exposed the contact information of nearly 66,000 users, according to a Jan. 20 announcement.
π’4β‘1π€1
Ethereum Smart Contract Auditor's 2023 Rewind https://ventral.digital/posts/2024/1/19/ethereum-smart-contract-auditors-2023-rewind/ Top 10 Blockchain Hacking Techniques of 2023 https://blog.openzeppelin.com/top-10-blockchain-hacking-techniques-of-2023-submissions-open @EthSecurity1
ventraldigital
Ethereum Smart Contract Auditor's 2023 Rewind β’ Ventral Digital
Ventral Digital LLC is a research and consultancy firm specializing in Information Security and Privacy.
π6
In orbit accident I was wondering how keys compromised. This is post-mortem:
https://medium.com/orbit-chain/official-statement-regarding-orbit-bridge-exploit-551928f3dc52
And MIM hack analysis
https://x.com/kankodu/status/1752581744803680680?s=61
@EthSecurity1
https://medium.com/orbit-chain/official-statement-regarding-orbit-bridge-exploit-551928f3dc52
And MIM hack analysis
https://x.com/kankodu/status/1752581744803680680?s=61
@EthSecurity1
Medium
Official Statement Regarding βOrbit Bridge Exploitβ
Hello, Orbit Chain Community.
π₯4
Forwarded from Investigations by ZachXBT
It appears a Ripple insider was hacked for ~213M XRP ($112.5M)
Source address
rJNLz3A1qPKfWCtJLPhmMZAfBkutC2Qojm
So far the stolen funds have been laundered through MEXC, Gate, Binance, Kraken, OKX, HTX, HitBTC, etc
Update: Confirmation of the hack from Chris Larsen (Ripple Co-Founder & Executive Chairman)
Theft addresses
rGhR13XyM43WdDaSMznHd5rZ4cJatybvEg
rHQVKntyfkDCPhEBL2ctryuEAkDZgckmmV
rLsUemhuBZtF44rqqzneb2F9JgyrRYYd4t
rKPERax7t9iFvT3RHXn5nifyNpzp9a4hBa
rpjs4HLX1gJoEenH69PsQmXaXY22QhCYAT
rLRhugR4ysNa2xkt4E6fKN8krs9jatCp6w
rnCyeUNvfDbtTagGEPjBfTCBz6EqJjf2Uj
rHVjfYzTaB8MzSoQGqpzH9barZr85QsZW7
Source address
rJNLz3A1qPKfWCtJLPhmMZAfBkutC2Qojm
So far the stolen funds have been laundered through MEXC, Gate, Binance, Kraken, OKX, HTX, HitBTC, etc
Update: Confirmation of the hack from Chris Larsen (Ripple Co-Founder & Executive Chairman)
Theft addresses
rGhR13XyM43WdDaSMznHd5rZ4cJatybvEg
rHQVKntyfkDCPhEBL2ctryuEAkDZgckmmV
rLsUemhuBZtF44rqqzneb2F9JgyrRYYd4t
rKPERax7t9iFvT3RHXn5nifyNpzp9a4hBa
rpjs4HLX1gJoEenH69PsQmXaXY22QhCYAT
rLRhugR4ysNa2xkt4E6fKN8krs9jatCp6w
rnCyeUNvfDbtTagGEPjBfTCBz6EqJjf2Uj
rHVjfYzTaB8MzSoQGqpzH9barZr85QsZW7
π3π€―2