EthSecurity
One common vulnerability with the ecrecover function in Solidity is malleability of signatures. ecrecover is used to recover the address that signed a message from an elliptic curve signature. However, signatures in crypto systems like Ethereum are malleable.β¦
ECRecover and Signature Verification in Ethereum https://coders-errand.com/ecrecover-signature-verification-ethereum/
This blog has great articles about cryptography and ZK
And sure watch this
Ethereum yellow paper
https://youtu.be/e84V1MxRlYs?si=ysB4c21fT9Ce024u
@EthSecurity1
This blog has great articles about cryptography and ZK
And sure watch this
Ethereum yellow paper
https://youtu.be/e84V1MxRlYs?si=ysB4c21fT9Ce024u
@EthSecurity1
Coder's Errand
ECRecover and Signature Verification in Ethereum β’ Coder's Errand
This post explains how Ethereum signatures differ from standard ECDSA signatures, and how to use ECRecover to verify them.
π₯2
DYDX exploite post-mortem
https://www.theblock.co/post/270275/dydx-publishes-post-mortem-9-million-november-attack
Gamma protocol is third hack in 2024
https://twitter.com/GammaStrategies/status/1742882840247779453
@Ethsecurity1
https://www.theblock.co/post/270275/dydx-publishes-post-mortem-9-million-november-attack
Gamma protocol is third hack in 2024
https://twitter.com/GammaStrategies/status/1742882840247779453
@Ethsecurity1
The Block
DeFi exchange dYdX publishes post-mortem on $9 million November attack
The decentralized exchange said it has identified the attacker behind the $9 million attack, and it is reviewing legal options.
gamma exploit post_mortem 6.18 m $ loss https://medium.com/gamma-strategies/post-mortem-remediation-plan-9a62f10d90f3 @EthSecurity1
Medium
Post-Mortem & Remediation Plan
Incident Summary
π4β‘1
Forwarded from Rektoff
We are glad to opensource our holistic security strategy for Solana dev teams.
Here is a Systematic Security Roadmap for a full lifecycle of Solana applications.
https://github.com/Rektoff/Security-Roadmap-for-Solana-applications
https://x.com/rektoff_xyz/status/1744771734782263613?s=20
Here is a Systematic Security Roadmap for a full lifecycle of Solana applications.
https://github.com/Rektoff/Security-Roadmap-for-Solana-applications
https://x.com/rektoff_xyz/status/1744771734782263613?s=20
GitHub
GitHub - Rektoff/Security-Roadmap-for-Solana-applications: We are systematizing everything we know about Solana security into oneβ¦
We are systematizing everything we know about Solana security into one structured resource: the Solana Security Strategy. Itβs a field-tested knowledge base for teams building serious products β pa...
β€5
2023 web3security Facts:
83% of protocols hacked in 2023 was audited
56.7% rugpulls happened in BSC
Certik-Peckshield-slowmist- Quantstamp are firms that performed security audits on exploited projects(before exploit).
62% projects compensated after exploit
34% projects audited after the exploits
78% attackers accepted bug bounty
@EthSecurity1
83% of protocols hacked in 2023 was audited
56.7% rugpulls happened in BSC
Certik-Peckshield-slowmist- Quantstamp are firms that performed security audits on exploited projects(before exploit).
62% projects compensated after exploit
34% projects audited after the exploits
78% attackers accepted bug bounty
@EthSecurity1
π9π₯4β‘1π1
Near smart contract security course https://www.youtube.com/playlist?list=PL7Gwuo_MOL740lhKTvouCJvk4sAyuqZqT
Near protocol lay off 50% of staff
ZKP Series: Principles and
Implementation of Extensibility Attacks on Groth16 Proofs https://slowmist.medium.com/zkp-series-principles-and-implementation-of-extensibility-attacks-on-groth16-proofs-aedcd703323a @EthSecurity1
Near protocol lay off 50% of staff
ZKP Series: Principles and
Implementation of Extensibility Attacks on Groth16 Proofs https://slowmist.medium.com/zkp-series-principles-and-implementation-of-extensibility-attacks-on-groth16-proofs-aedcd703323a @EthSecurity1
Medium
ZKP Series: Principles and Implementation of Extensibility Attacks on Groth16 Proofs
Why Groth16 is Vulnerable to Scalability Attacks?
https://cointelegraph.com/news/trezor-discloses-66k-users-affected-phishing-attack
Seems trustwallet used trezor library too. Code suffers randomness issues
Seems trustwallet used trezor library too. Code suffers randomness issues
Cointelegraph
Trezor discloses 66K users affected by phishing attackpost.title.seo-tail
Hardware wallet Trezor has flagged a security breach that exposed the contact information of nearly 66,000 users, according to a Jan. 20 announcement.
π’4β‘1π€1
Ethereum Smart Contract Auditor's 2023 Rewind https://ventral.digital/posts/2024/1/19/ethereum-smart-contract-auditors-2023-rewind/ Top 10 Blockchain Hacking Techniques of 2023 https://blog.openzeppelin.com/top-10-blockchain-hacking-techniques-of-2023-submissions-open @EthSecurity1
ventraldigital
Ethereum Smart Contract Auditor's 2023 Rewind β’ Ventral Digital
Ventral Digital LLC is a research and consultancy firm specializing in Information Security and Privacy.
π6
In orbit accident I was wondering how keys compromised. This is post-mortem:
https://medium.com/orbit-chain/official-statement-regarding-orbit-bridge-exploit-551928f3dc52
And MIM hack analysis
https://x.com/kankodu/status/1752581744803680680?s=61
@EthSecurity1
https://medium.com/orbit-chain/official-statement-regarding-orbit-bridge-exploit-551928f3dc52
And MIM hack analysis
https://x.com/kankodu/status/1752581744803680680?s=61
@EthSecurity1
Medium
Official Statement Regarding βOrbit Bridge Exploitβ
Hello, Orbit Chain Community.
π₯4
Forwarded from Investigations by ZachXBT
It appears a Ripple insider was hacked for ~213M XRP ($112.5M)
Source address
rJNLz3A1qPKfWCtJLPhmMZAfBkutC2Qojm
So far the stolen funds have been laundered through MEXC, Gate, Binance, Kraken, OKX, HTX, HitBTC, etc
Update: Confirmation of the hack from Chris Larsen (Ripple Co-Founder & Executive Chairman)
Theft addresses
rGhR13XyM43WdDaSMznHd5rZ4cJatybvEg
rHQVKntyfkDCPhEBL2ctryuEAkDZgckmmV
rLsUemhuBZtF44rqqzneb2F9JgyrRYYd4t
rKPERax7t9iFvT3RHXn5nifyNpzp9a4hBa
rpjs4HLX1gJoEenH69PsQmXaXY22QhCYAT
rLRhugR4ysNa2xkt4E6fKN8krs9jatCp6w
rnCyeUNvfDbtTagGEPjBfTCBz6EqJjf2Uj
rHVjfYzTaB8MzSoQGqpzH9barZr85QsZW7
Source address
rJNLz3A1qPKfWCtJLPhmMZAfBkutC2Qojm
So far the stolen funds have been laundered through MEXC, Gate, Binance, Kraken, OKX, HTX, HitBTC, etc
Update: Confirmation of the hack from Chris Larsen (Ripple Co-Founder & Executive Chairman)
Theft addresses
rGhR13XyM43WdDaSMznHd5rZ4cJatybvEg
rHQVKntyfkDCPhEBL2ctryuEAkDZgckmmV
rLsUemhuBZtF44rqqzneb2F9JgyrRYYd4t
rKPERax7t9iFvT3RHXn5nifyNpzp9a4hBa
rpjs4HLX1gJoEenH69PsQmXaXY22QhCYAT
rLRhugR4ysNa2xkt4E6fKN8krs9jatCp6w
rnCyeUNvfDbtTagGEPjBfTCBz6EqJjf2Uj
rHVjfYzTaB8MzSoQGqpzH9barZr85QsZW7
π3π€―2
Forwarded from Crypto Goodreads
Vitalik wrote about risks of restaking in this article from May 2023.
Good to take a step back sometimes and look at the safety too
π
https://vitalik.eth.limo/general/2023/05/21/dont_overload.html
Good to take a step back sometimes and look at the safety too
π
https://vitalik.eth.limo/general/2023/05/21/dont_overload.html
Warpcast is strange! Get approves account keys onchain and store eth keys on it's server :(
Eth keys : hold asset(EOA)
@Ethsecurity1
Eth keys : hold asset(EOA)
@Ethsecurity1
π10π€¬2
- PlayDapp Heist: Attackers minted 200M PLA tokens, valuing a massive $31M loss. A significant portion, $5.9M worth, found its way to the Gate platform. The exploit was due to a security vulnerability. @EthSecurity1
π₯3π2π±2
considering Blast as clone of optimism ToB found only 1 Low on Blast, when Spearbit found 6 Crit, 6 H, 11 M and 14 L https://github.com/trailofbits/publications/blob/master/reviews/2024-01-metalayerblast-securityreview.pdf
https://github.com/spearbit/portfolio/blob/master/pdfs/report-blast-contracts-review-draft.pdf
Blast source code deep dive:
https://twitter.com/jarrodWattsDev/status/1727584394796323042?s=20
@EthSecurity1
https://github.com/spearbit/portfolio/blob/master/pdfs/report-blast-contracts-review-draft.pdf
Blast source code deep dive:
https://twitter.com/jarrodWattsDev/status/1727584394796323042?s=20
@EthSecurity1
GitHub
publications/reviews/2024-01-metalayerblast-securityreview.pdf at master Β· trailofbits/publications
Publications from Trail of Bits. Contribute to trailofbits/publications development by creating an account on GitHub.
π9
#Scam
1- Create Github PR with scam massage
2- Tag targets
3- Scam message will be emailed to targets from Github
@Ethsecurity1
1- Create Github PR with scam massage
2- Tag targets
3- Scam message will be emailed to targets from Github
@Ethsecurity1
π5
Affine Defi Hack explained https://medium.com/@0kage/hack-series-deep-dive-chapter-2-affine-da2d7b0bbefd and POC: https://github.com/0kage-eth/hacks-poc-database/blob/main/test/02-AffineExploit0224.t.sol Plonky2x Audit Report https://hackmd.io/qS36EcIASx6Gt_2uNwlK4A @EthSecurity1
Medium
0Kage Diaries Chapter 2 β Affine
Disclaimer: The opinions expressed here are solely my own and do not reflect the views or opinions of organizations I am affiliated withβ¦
π₯3
Seneca Protocol has a critical approval exploit (open external call). $6m+ lost so far across eth/arb ADDRESSES TO REVOKE: 0xbc83f2711d0749d7454e4a9d53d8594df0377c05 (MAINNET)
0x2d99e1116e73110b88c468189aa6af8bb4675ec9 (ARBITRUM)
NOTE: contract was pausable but written in internal functions there is no way to call them.
@EthSecurity1
0x2d99e1116e73110b88c468189aa6af8bb4675ec9 (ARBITRUM)
NOTE: contract was pausable but written in internal functions there is no way to call them.
@EthSecurity1
π¨4π₯1π1
the "EVM from scratch" book. https://evm-from-scratch.xyz/intro.html ZK proofs ELI5. A fun way to understand circuits and even play with them directly in your browser. eli5.zksync.io @EthSecurity1
β€6π1