#Scam
1- Create Github PR with scam massage
2- Tag targets
3- Scam message will be emailed to targets from Github
@Ethsecurity1
1- Create Github PR with scam massage
2- Tag targets
3- Scam message will be emailed to targets from Github
@Ethsecurity1
๐5
Affine Defi Hack explained https://medium.com/@0kage/hack-series-deep-dive-chapter-2-affine-da2d7b0bbefd and POC: https://github.com/0kage-eth/hacks-poc-database/blob/main/test/02-AffineExploit0224.t.sol Plonky2x Audit Report https://hackmd.io/qS36EcIASx6Gt_2uNwlK4A @EthSecurity1
Medium
0Kage Diaries Chapter 2 โ Affine
Disclaimer: The opinions expressed here are solely my own and do not reflect the views or opinions of organizations I am affiliated withโฆ
๐ฅ3
Seneca Protocol has a critical approval exploit (open external call). $6m+ lost so far across eth/arb ADDRESSES TO REVOKE: 0xbc83f2711d0749d7454e4a9d53d8594df0377c05 (MAINNET)
0x2d99e1116e73110b88c468189aa6af8bb4675ec9 (ARBITRUM)
NOTE: contract was pausable but written in internal functions there is no way to call them.
@EthSecurity1
0x2d99e1116e73110b88c468189aa6af8bb4675ec9 (ARBITRUM)
NOTE: contract was pausable but written in internal functions there is no way to call them.
@EthSecurity1
๐จ4๐ฅ1๐1
the "EVM from scratch" book. https://evm-from-scratch.xyz/intro.html ZK proofs ELI5. A fun way to understand circuits and even play with them directly in your browser. eli5.zksync.io @EthSecurity1
โค6๐1
why TWAP oracle is unsuitable for the vast majority of DeFi use case https://smartcontentpublication.medium.com/twap-oracles-vs-chainlink-price-feeds-a-comparative-analysis-8155a3483cbd @EthSecurity1
Medium
TWAP Oracles vs. Chainlink Price Feeds: A Comparative Analysis
The announcement of Uniswap V3 has given rise to various questions regarding how Uniswapโs Time Weighted Average Price (TWAP) oraclesโฆ
๐ฅ4
some smartcontract Red Flags: -out of scope vulnerability -more comments than code -require(msg.sender == tx.origin); -Lot of typos => Lot of Criticals -Itโs a minimal proxy but deployed straight from the command line with injected state. -Over complicated -Most of it being admin restricted -Uniswap v2 with 0 min amount -NO Test -safeMath & Division you can add too @EthSecurity1
โค10๐ฅ3๐ฏ2
WOOFi
got taken for a $8.5 Million ride, after a flash loan attack on Arbitrum.
The attacker exploited Woofiโs novel oracle design and low liquidity.
https://rekt.news/woo-rekt/ @EthSecurity1
got taken for a $8.5 Million ride, after a flash loan attack on Arbitrum.
The attacker exploited Woofiโs novel oracle design and low liquidity.
https://rekt.news/woo-rekt/ @EthSecurity1
rekt
Rekt - Woofi - Rekt
DeFi / Crypto - WooFi got taken for a $8.5 Million ride on March 5th, after a flash loan attack on Arbitrum.
Happy noroz and new year 2583 achaemenid
To all kurdish and persians
To all kurdish and persians
โค4๐พ4๐ฅ3๐3๐คฌ1๐คฎ1
Munchables keys on Blast was compromised. 62 m$ lost but Blast controls the bridge. attacker address : https://blastscan.io/address/0x6e8836f050a315611208a5cd7e228701563d09c5 @EthSecurity1
Blast Mainnet Network Explorer
Munchables Exploiter | Address: 0x6e8836f0...1563d09c5 | Blastscan
Address (EOA) | Balance: $1.19 across 1 Chain | Transactions: 20 | As at Nov-29-2025 10:24:00 AM (UTC)
Forwarded from Vladimir S. | Officer's Channel (officercia)
๐โ๏ธ unizen_io, a crypto exchange and trading platform, experienced a security breach on March 8 that resulted in the loss of more than $2.1 million.
The attack technique involved authorizing a trading aggregator running on the Ethereum ( $ETH ) blockchain network. The hacker exploited an open external challenge vulnerability in the contract.
Detailed analysis: https://x.com/amlbothq/status/1770102963521867916
#offtopic #security #investigations
The attack technique involved authorizing a trading aggregator running on the Ethereum ( $ETH ) blockchain network. The hacker exploited an open external challenge vulnerability in the contract.
Detailed analysis: https://x.com/amlbothq/status/1770102963521867916
#offtopic #security #investigations
X (formerly Twitter)
AMLBot (@AMLBotHQ) on X
Detailed visualization ๐๐
https://t.co/5wzgFYBymE
https://t.co/5wzgFYBymE
๐ฏ4๐1
1)Understanding Rug Pulls: An In-Depth Behavioral Analysis of Fraudulent NFT Creators 2)Another Solidity Attack Vectors https://github.com/Quillhash/Solidity-Attack-Vectors @EthSecurity1
arXiv.org
Understanding Rug Pulls: An In-Depth Behavioral Analysis of...
The explosive growth of non-fungible tokens (NFTs) on Web3 has created a new frontier for digital art and collectibles, but also an emerging space for fraudulent activities. This study provides an...
๐ฅ4
Prisma Hack post-mortem https://hackmd.io/@PrismaRisk/PostMortem0328 @EthSecurity
๐2โค1๐ค1
A 5y/o Explanation of Ethereum Validation https://mirror.xyz/0xffE49cEe81e8CCa632C000588278eD9c3FeFf205/J0z2S06q7DdFYE6X9TXqjTKCEOBIfbSQSr-olXJbXD8 List of eigenlayer Risks https://x.com/hanni_abu/status/1742976353660531177?s=20 Emerging web3 attack vector: Restake Farming https://x.com/blockaid_/status/1752847514393522260?s=20 @EthSecurity1
๐3
Market Manipulation vs. Oracle Exploits
https://chain.link/education-hub/market-manipulation-vs-oracle-exploits Chainlink Oracle DeFi Attacks https://medium.com/cyfrin/chainlink-oracle-defi-attacks-93b6cb6541bf @Ethsecurity1
https://chain.link/education-hub/market-manipulation-vs-oracle-exploits Chainlink Oracle DeFi Attacks https://medium.com/cyfrin/chainlink-oracle-defi-attacks-93b6cb6541bf @Ethsecurity1
chain.link
Market Manipulation vs. Oracle Exploits | Chainlink
Oracles enrich dApps by providing them with access to off-chain data, but they must be implemented correctly to avoid exploitation.
โค7
EIP 3074 approved to go live on next Ethereum Hard fork. EIP Details: https://eips.ethereum.org/EIPS/eip-3074
it has some pitfalls for now:
-malicious invokers could steal funds
-ether in EOAs cannot be spent
-self-sponsoring breaks a weak form of flash-loan protection -invokers can make upgrading ethereum more challenging @EthSecurity1
it has some pitfalls for now:
-malicious invokers could steal funds
-ether in EOAs cannot be spent
-self-sponsoring breaks a weak form of flash-loan protection -invokers can make upgrading ethereum more challenging @EthSecurity1
Ethereum Improvement Proposals
EIP-3074: AUTH and AUTHCALL opcodes
Allow externally owned accounts to delegate control to a contract.
๐ค4๐4
EthSecurity
EIP 3074 approved to go live on next Ethereum Hard fork. EIP Details: https://eips.ethereum.org/EIPS/eip-3074 it has some pitfalls for now: โฆ
for more datails EIP 4337 VS EIP 3074 check this https://docs.google.com/presentation/d/1dHE09UCv9YhmbOZ1OGdN9RXi2dwBbeT80M8waVjbjdg/edit#slide=id.g1f519d8aa46_0_432 @EthSecurity1
Google Docs
Demistifying account abstraction ERCs
Demystifying account abstraction All the ERCs, EIPs, RIPs, etc. Ivo Georgiev, @Ivshti on X/Farcaster
๐3
-Chainge finance Hack for insufficient validation 150 k $
-Curio Defi Hack post-mortem 40 m $ https://www.halborn.com/blog/post/explained-the-curio-hack-march-2024 @EthSecurity1
-Curio Defi Hack post-mortem 40 m $ https://www.halborn.com/blog/post/explained-the-curio-hack-march-2024 @EthSecurity1
โค5
Zelic found critical vulnerability in Gains network forks
https://x.com/zellic_io/status/1781389554764886289?s=61
@EthSecurity1
https://x.com/zellic_io/status/1781389554764886289?s=61
@EthSecurity1
๐ฅ4
Exploiting precision loss vai fuzz testing
https://dacian.me/exploiting-precision-loss-via-fuzz-testing
A Collection of Notes, Checklists, Writeups on Bug Bounty Hunting and Web Application Security.
https://github.com/HolyBugx/HolyTips
Immunefi writeups list
https://github.com/sayan011/Immunefi-bug-bounty-writeups-list
@EthSecurity1
https://dacian.me/exploiting-precision-loss-via-fuzz-testing
A Collection of Notes, Checklists, Writeups on Bug Bounty Hunting and Web Application Security.
https://github.com/HolyBugx/HolyTips
Immunefi writeups list
https://github.com/sayan011/Immunefi-bug-bounty-writeups-list
@EthSecurity1
in your storage
Exploiting Precision Loss via Fuzz Testing
Fuzz testing is an invaluable tool for finding & maximizing precision loss vulnerabilities..
โค5
Hedgey finance Hacked Post-mortem 44 m $ consider consensys Audited it Earlier https://blog.cube3.ai/2024/04/19/hedgey-finance-hack-flashloan-cube3-postmortem-report/ @EthSecurity1
CUBE3.AI
$48M Hedgey Finance Hack Detected by CUBE3.AI Minutes Before Exploit
CUBE3 detected the attack 5 minutes before the first $1.3M transaction exploit. Our Research Team provides technical vulnerability insights.
๐ฅ3