convergence finance hacked
$200k
@EthSecurity1

disclosing a significant bug,which could potentially jeopardize the entire project, involving $60 million in funds. For more details, visit: https://x.com/AstraSecAI/status/1820633823195148467. Learn more here: https://dashboard.hackenproof.com/reports/DPSC-62 @EthSecurity1

Seems Ronin bridge hacked again
MEV BOTS frontrun it 4000 ETH
@EthSecurity1

Rootcause: submit some signatures
Oh! you have 4000 ether https://app.blocksec.com/explorer/tx/eth/0x2619570088683e6cc3a38d93c3d98899e5783864e15525d5f5810c11189ba6cb?line=15&debugLine=15
@EthSecurity1

iVest finance hacked for $172k. Attack TX: https://bscscan.com/tx/0x12f27e81e54684146ec50973ea94881c535887c2e2f30911b3402a55d67d121d
@EthSecurity1

Aave v 3.1.0 audit (3 low severity) https://github.com/mixbytes/audits_public/blob/master/AAVE/Aave%20v%203.1.0/README.md
@Ethsecurity1

vow protocol hacked for $1.2 m. seems admin private key has leaked and hacker changed usdRate to mint $vusd. @EthSecurity1

-Attacks on Dynamic DeFi Interest Rate Curves. -Exploring Cairo: A Security Primer @EthSecurity1

-Smart Contract Migration: Security Analysis and Recommendations from Ethereum to Arbitrum -Shared Vulnerabilities Between ERC-4626 Vaults and Vault-Like Contracts @EthSecurity1

a victim was drained for 55.4M DAI

Transaction hash
0xf70042bf3ae7c22f0680f8afa078c38989ed475dfbe5c8d8f30a50d4d2f45dc4

Theft address
0x5D4b2A02c59197eB2cAe95A6Df9fE27af60459d4 @EthSecurity1

"..arrest of a 29-year-old Russian national in Buenos Aires, Argentina. This case is connected to the Harmony Bridge hack, a massive cyber heist carried out by North Korean hackers in June 2022, resulting in the theft of $100 million in cryptocurrencies..." https://www-lanacion-com-ar.translate.goog/seguridad/investigacion-del-fbi-la-ruta-de-una-ciberestafa-de-norcoreanos-que-termino-en-el-departamento-de-un-nid21082024/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp
@Ethsecurity1

- Theft of collateral tokens with fewer than 18 decimals - The Vulnerable Nature of Decentralized Governance in DeFi @EthSecurity1

Practical Key-Extraction Attacks in Leading MPC Wallets Advanced Wizard Guide to Dune SQL and Ethereum Data Analytics @EthSecurity1

If I want to consider bad situation, maybe telegram team decide to erase databases
Please follow my x account

https://x.com/ethsecurity
@EthSecurity1

A periphery contract of AAVE is hacked due to an arbitrary call/logic error.
Loss ~ $30k
@EthSecurity1

https://x.com/PLS2Eio, claim() function does not check duplicate tokens when distributing rewards
Loss ~ $4k
Exploit:https://bscscan.com/address/0x15d72bf2c7e3f6573f84ae82eef58809fd34dabc
Exploit tx:https://app.blocksec.com/explorer/tx/bsc/0xa04b660dd280f1f32461a8c550b9ee7e2912c11ff6cdd7d17be9cb9bee3f4e41 Audited by certik
@EthSecurity1

- defense against erc4626 inflation attacks - diamond storage walkthrough @EthSecurity1

Pythia staking contract was drained in suspicious claimRewards() calls by
eth:0xd861e6F1760d014D6EE6428cF7F7d732563c74c0
The profit was swapped for 21 ETH (~$53K) and has been deposited to Tornado Cash. @ethsecurity1

The $27M Penpiexyz exploit @EthSecurity1

Rough overview ignoring the flashloan stuff. Have barely looked at penpie/pendle contracts previously so a lot of context is missing.

Step 1:
> create YT/PT yield contract where the underlying asset is attacker controlled contract
> Create new pendle market with the PT
> Mint a bunch of PT - PT uses the underlying (attacker contract) for balance/exchange rate logic
> Mint a bunch of YT
> Transfer PT to pendle market
> Mint LP via the pendle market. Again, uses the attacker contract for rewards logic.
> Deposit LP into penpie

Step 2:
> Batch harvest penpie rewards. This uses the attacker's contract for reward logic.
> Penpie calls claimRewards on the attacker contract which hands over control mid execution
> During the re-entrancy, attacker contract adds a bunch of single sided pendle liquidity using legit PT tokens + deposits LPs into penpie
> Penpie grants approval on a bunch of legit LP tokens to a second attacker contract and then calls this attacker contract to queueNewRewards. During the reentrancy, the attacker transfers previously approved LPs from the penpie staking contract -> attacker contract 2.
> Attacker then calls MasterPenie to multiclaim rewards. Again this uses the attacker's second contract for reward logic and hands over control mid execution. Attacker transfers LPs from contract 2 -> contract 1 during this step.
> Attacker withdraws legit LPs from penpie and removes single sided pendle liquidity for them. At this stage, they receive more of the underlying than was originally used to create the LPs.