DefiPlaza hacked for 200 $K. original attack front-runned by MEV bot. Root cause was miscalculation in OutputAmount . @EthSecurity1
๐ฅ7
Forwarded from pcaversaccio
Please don't interact with the Compound Finance website for now. It seems to be hijacked.
๐7
Standard abstract contracts written by 0x52 https://github.com/IAm0x52/AuditNoteSharing/tree/main
An alias bug in Circom (or any ZK circuit language)
https://www.rareskills.io/post/circom-aliascheck
@EthSecurity1
An alias bug in Circom (or any ZK circuit language)
https://www.rareskills.io/post/circom-aliascheck
@EthSecurity1
GitHub
GitHub - IAm0x52/AuditNoteSharing
Contribute to IAm0x52/AuditNoteSharing development by creating an account on GitHub.
๐ฅ5โค1๐1
Minterest hacked $1.4M loss.
Attackers can lend tokens inside flashloan callbacks and then redeem more tokens after the flashloan.
https://mantlescan.xyz/tx/0xb3c4c313a8d3e2843c9e6e313b199d7339211cdc70c2eca9f4d88b1e155fd6bd
@EthSecurity1
Attackers can lend tokens inside flashloan callbacks and then redeem more tokens after the flashloan.
https://mantlescan.xyz/tx/0xb3c4c313a8d3e2843c9e6e313b199d7339211cdc70c2eca9f4d88b1e155fd6bd
@EthSecurity1
โค4
EthSecurity
Post the @krakenfx breach, have detected similar activity on @base, @BNBCHAIN, @Optimism, @arbitrum, @avax, @LineaBuild and @0xPolygon trying to target @okx, @BingXOfficial, @gate_io, and @binance and others and some unknown addresses. Here is poc: httpโฆ
X (formerly Twitter)
Daniel Von Fange (@danielvf) on X
I call it a "two parser bug".
Two different implementations tracking the same input, and parsing differences cause diverging behavior from different parts of a system. Here's two recent examples used in hacks, and how to avoid.
๐งต1/5
Two different implementations tracking the same input, and parsing differences cause diverging behavior from different parts of a system. Here's two recent examples used in hacks, and how to avoid.
๐งต1/5
๐4
Please revoke approval to 0x1231deb6f5749ef6ce6943a275a1d3e7486f4eae (LI.FI: LiFi Diamond) asap!
@EthSecurity1
@EthSecurity1
โก4
Seems jumper exchange hacked
https://x.com/jumperexchange/status/1813196813333094526?s=46
@EthSecurity1
https://x.com/jumperexchange/status/1813196813333094526?s=46
@EthSecurity1
๐ฆ5โก1๐ฅ1
A critical vulnerability was identified and reported by a whitehat. in the Raydium protocol .A bounty of $505,000 https://medium.com/immunefi/raydium-tick-manipulation-bugfix-review-c6aae4527ed6 @EthSecurity1
Medium
Raydium Tick Manipulation Bugfix Review
Summary
๐ฅ8๐2
Wazirx hacked. $ 290 million loss
Hacker has $ 92 million shiba
https://etherscan.io/address/0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4#tokentxns
@Ethsecurity1
Hacker has $ 92 million shiba
https://etherscan.io/address/0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4#tokentxns
@Ethsecurity1
Ethereum (ETH) Blockchain Explorer
WazirX 2 | Address: 0x27fd43ba...30a60c9b4 | Etherscan
Contract: Verified | Balance: $105.27 across 3 Chains | Transactions: 31,731 | As at Nov-12-2025 11:14:04 AM (UTC)
๐ข5๐ฅ1
a is a uint8, and 16777215 is a constant of type uint24 as uint24 is the smallest type that can fit this value. When these are added together, the Solidity compiler implicitly casts a to uint24 thus performing uint24 + uint24. The cast is happening regardless of the declared type of output as that cast will occur *after* the addition operation. @EthSecurity1 #overflow๐5โค3
after exploit protocol in scroll, they halted chain. Do not hold your assets on L2, they can steal your funds. @EthSecurity1
๐ซก6๐ค5
Singapore court ruling fans suspicions the $125m Multichain hack was an inside job @EthSecurity1
โก2๐2๐ฅ1
Top 5 Security Vulnerabilities Cosmos Developers Need to Watch Out For https://www.halborn.com/blog/post/top-5-security-vulnerabilities-cosmos-developers-need-to-watch-out-for beacon proxy explained https://www.rareskills.io/post/beacon-proxy
Storage slots in solidity:
https://www.rareskills.io/post/evm-solidity-storage-layout
@EthSecurity1
Storage slots in solidity:
https://www.rareskills.io/post/evm-solidity-storage-layout
@EthSecurity1
Halborn
Top 5 Security Vulnerabilities Cosmos Developers Need to Watch Out For
Web3 security firm Halborn provides an overview of the top 5 most common vulnerabilities and issues to look for in a Cosmos project.
๐4
Alchemix bounty boost results
https://github.com/immunefi-team/Bounty_Boosts/tree/main/Alchemix
Understanding voting escrows
https://x.com/deadrosesxyz/status/1752639255090798947?s=61
@EthSecurity1
https://github.com/immunefi-team/Bounty_Boosts/tree/main/Alchemix
Understanding voting escrows
https://x.com/deadrosesxyz/status/1752639255090798947?s=61
@EthSecurity1
GitHub
Past-Audit-Competitions/Alchemix at main ยท immunefi-team/Past-Audit-Competitions
Bug reports from Immunefi Bounty Boosts. Contribute to immunefi-team/Past-Audit-Competitions development by creating an account on GitHub.
๐3โก1
Spectra was hacked, $550K loss
The root cause is an arbitrary call in their router contract. @EthSecurity1
The root cause is an arbitrary call in their router contract. @EthSecurity1
๐ข6๐2๐1๐ฏ1
Full of sad story
http://github.com/jlopp/physical-bitcoin-attacks/blob/master/README.md
@EthSecurity1
http://github.com/jlopp/physical-bitcoin-attacks/blob/master/README.md
@EthSecurity1
GitHub
physical-bitcoin-attacks/README.md at master ยท jlopp/physical-bitcoin-attacks
A list of known attacks against Bitcoin / crypto asset owning entities that occurred in meatspace. - jlopp/physical-bitcoin-attacks
โก2
Nft Attack vectors https://0xvolodya.hashnode.dev/nft-attacks?https://0xvolodya.hashnode.dev/nft-attacks?1687205930 Web3 Wallet Security Audit checklist https://slowmist.medium.com/slowmist-web3-wallet-security-audit-upgrade-657c2486d811 @EthSecurity1
๐ฅ3โค2
Lowest-paying findings on Code4rena, Sherlock https://0xvolodya.hashnode.dev/lowest-paying-findings-on-code4rena-sherlock Mempool Masterclass - Mempool Monitoring https://www.youtube.com/watch?v=TQqCCuh7x_E @EthSecurity1
๐3๐คฏ1