Seneca Protocol has a critical approval exploit (open external call). $6m+ lost so far across eth/arb ADDRESSES TO REVOKE: 0xbc83f2711d0749d7454e4a9d53d8594df0377c05 (MAINNET)

0x2d99e1116e73110b88c468189aa6af8bb4675ec9 (ARBITRUM)

NOTE: contract was pausable but written in internal functions there is no way to call them.
@EthSecurity1

the "EVM from scratch" book. https://evm-from-scratch.xyz/intro.html ZK proofs ELI5. A fun way to understand circuits and even play with them directly in your browser. eli5.zksync.io @EthSecurity1

why TWAP oracle is unsuitable for the vast majority of DeFi use case https://smartcontentpublication.medium.com/twap-oracles-vs-chainlink-price-feeds-a-comparative-analysis-8155a3483cbd @EthSecurity1

some smartcontract Red Flags: -out of scope vulnerability -more comments than code -require(msg.sender == tx.origin); -Lot of typos => Lot of Criticals -It’s a minimal proxy but deployed straight from the command line with injected state. -Over complicated -Most of it being admin restricted -Uniswap v2 with 0 min amount -NO Test -safeMath & Division you can add too @EthSecurity1

WOOFi
got taken for a $8.5 Million ride, after a flash loan attack on Arbitrum.
The attacker exploited Woofi’s novel oracle design and low liquidity.

https://rekt.news/woo-rekt/ @EthSecurity1

Happy noroz and new year 2583 achaemenid
To all kurdish and persians

SSS Hacked on Blast. a kid wrote it. @EthSecurity1

Munchables keys on Blast was compromised. 62 m$ lost but Blast controls the bridge. attacker address : https://blastscan.io/address/0x6e8836f050a315611208a5cd7e228701563d09c5 @EthSecurity1

🔓☁️ unizen_io, a crypto exchange and trading platform, experienced a security breach on March 8 that resulted in the loss of more than $2.1 million.

The attack technique involved authorizing a trading aggregator running on the Ethereum ( $ETH ) blockchain network. The hacker exploited an open external challenge vulnerability in the contract.

Detailed analysis: https://x.com/amlbothq/status/1770102963521867916

#offtopic #security #investigations

1)Understanding Rug Pulls: An In-Depth Behavioral Analysis of Fraudulent NFT Creators 2)Another Solidity Attack Vectors https://github.com/Quillhash/Solidity-Attack-Vectors @EthSecurity1

Prisma Hack post-mortem https://hackmd.io/@PrismaRisk/PostMortem0328 @EthSecurity

A 5y/o Explanation of Ethereum Validation https://mirror.xyz/0xffE49cEe81e8CCa632C000588278eD9c3FeFf205/J0z2S06q7DdFYE6X9TXqjTKCEOBIfbSQSr-olXJbXD8 List of eigenlayer Risks https://x.com/hanni_abu/status/1742976353660531177?s=20 Emerging web3 attack vector: Restake Farming https://x.com/blockaid_/status/1752847514393522260?s=20 @EthSecurity1

Market Manipulation vs. Oracle Exploits
https://chain.link/education-hub/market-manipulation-vs-oracle-exploits Chainlink Oracle DeFi Attacks https://medium.com/cyfrin/chainlink-oracle-defi-attacks-93b6cb6541bf @Ethsecurity1

EIP 3074 approved to go live on next Ethereum Hard fork. EIP Details: https://eips.ethereum.org/EIPS/eip-3074
it has some pitfalls for now:
-malicious invokers could steal funds
-ether in EOAs cannot be spent
-self-sponsoring breaks a weak form of flash-loan protection -invokers can make upgrading ethereum more challenging @EthSecurity1

for more datails EIP 4337 VS EIP 3074 check this https://docs.google.com/presentation/d/1dHE09UCv9YhmbOZ1OGdN9RXi2dwBbeT80M8waVjbjdg/edit#slide=id.g1f519d8aa46_0_432 @EthSecurity1

-Chainge finance Hack for insufficient validation 150 k $

-Curio Defi Hack post-mortem 40 m $ https://www.halborn.com/blog/post/explained-the-curio-hack-march-2024 @EthSecurity1

Zelic found critical vulnerability in Gains network forks

https://x.com/zellic_io/status/1781389554764886289?s=61
@EthSecurity1

Exploiting precision loss vai fuzz testing

https://dacian.me/exploiting-precision-loss-via-fuzz-testing

A Collection of Notes, Checklists, Writeups on Bug Bounty Hunting and Web Application Security.

https://github.com/HolyBugx/HolyTips

Immunefi writeups list

https://github.com/sayan011/Immunefi-bug-bounty-writeups-list
@EthSecurity1

Hedgey finance Hacked Post-mortem 44 m $ consider consensys Audited it Earlier https://blog.cube3.ai/2024/04/19/hedgey-finance-hack-flashloan-cube3-postmortem-report/ @EthSecurity1

2 critical vulnerabilities found in fraud proof https://medium.com/offchainlabs/security-disclosure-289a4ad50709 @EthSecurity1

Deploy scripts are now in scope for smart contract audits https://medium.com/cyfrin/deploy-scripts-are-now-in-scope-for-smart-contract-audits-7fbb95788ce7 What is zk audit? https://www.zellic.io/blog/what-is-a-zk-audit/ Astar Critical Vulnerability https://www.zellic.io/blog/finding-a-critical-vulnerability-in-astar/ @ETHSecurity1