vow protocol hacked for $1.2 m. seems admin private key has leaked and hacker changed usdRate to mint $vusd. @EthSecurity1

-Attacks on Dynamic DeFi Interest Rate Curves. -Exploring Cairo: A Security Primer @EthSecurity1

-Smart Contract Migration: Security Analysis and Recommendations from Ethereum to Arbitrum -Shared Vulnerabilities Between ERC-4626 Vaults and Vault-Like Contracts @EthSecurity1

a victim was drained for 55.4M DAI

Transaction hash
0xf70042bf3ae7c22f0680f8afa078c38989ed475dfbe5c8d8f30a50d4d2f45dc4

Theft address
0x5D4b2A02c59197eB2cAe95A6Df9fE27af60459d4 @EthSecurity1

"..arrest of a 29-year-old Russian national in Buenos Aires, Argentina. This case is connected to the Harmony Bridge hack, a massive cyber heist carried out by North Korean hackers in June 2022, resulting in the theft of $100 million in cryptocurrencies..." https://www-lanacion-com-ar.translate.goog/seguridad/investigacion-del-fbi-la-ruta-de-una-ciberestafa-de-norcoreanos-que-termino-en-el-departamento-de-un-nid21082024/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp
@Ethsecurity1

- Theft of collateral tokens with fewer than 18 decimals - The Vulnerable Nature of Decentralized Governance in DeFi @EthSecurity1

Practical Key-Extraction Attacks in Leading MPC Wallets Advanced Wizard Guide to Dune SQL and Ethereum Data Analytics @EthSecurity1

If I want to consider bad situation, maybe telegram team decide to erase databases
Please follow my x account

https://x.com/ethsecurity
@EthSecurity1

A periphery contract of AAVE is hacked due to an arbitrary call/logic error.
Loss ~ $30k
@EthSecurity1

https://x.com/PLS2Eio, claim() function does not check duplicate tokens when distributing rewards
Loss ~ $4k
Exploit:https://bscscan.com/address/0x15d72bf2c7e3f6573f84ae82eef58809fd34dabc
Exploit tx:https://app.blocksec.com/explorer/tx/bsc/0xa04b660dd280f1f32461a8c550b9ee7e2912c11ff6cdd7d17be9cb9bee3f4e41 Audited by certik
@EthSecurity1

- defense against erc4626 inflation attacks - diamond storage walkthrough @EthSecurity1

Pythia staking contract was drained in suspicious claimRewards() calls by
eth:0xd861e6F1760d014D6EE6428cF7F7d732563c74c0
The profit was swapped for 21 ETH (~$53K) and has been deposited to Tornado Cash. @ethsecurity1

The $27M Penpiexyz exploit @EthSecurity1

Rough overview ignoring the flashloan stuff. Have barely looked at penpie/pendle contracts previously so a lot of context is missing.

Step 1:
> create YT/PT yield contract where the underlying asset is attacker controlled contract
> Create new pendle market with the PT
> Mint a bunch of PT - PT uses the underlying (attacker contract) for balance/exchange rate logic
> Mint a bunch of YT
> Transfer PT to pendle market
> Mint LP via the pendle market. Again, uses the attacker contract for rewards logic.
> Deposit LP into penpie

Step 2:
> Batch harvest penpie rewards. This uses the attacker's contract for reward logic.
> Penpie calls claimRewards on the attacker contract which hands over control mid execution
> During the re-entrancy, attacker contract adds a bunch of single sided pendle liquidity using legit PT tokens + deposits LPs into penpie
> Penpie grants approval on a bunch of legit LP tokens to a second attacker contract and then calls this attacker contract to queueNewRewards. During the reentrancy, the attacker transfers previously approved LPs from the penpie staking contract -> attacker contract 2.
> Attacker then calls MasterPenie to multiclaim rewards. Again this uses the attacker's second contract for reward logic and hands over control mid execution. Attacker transfers LPs from contract 2 -> contract 1 during this step.
> Attacker withdraws legit LPs from penpie and removes single sided pendle liquidity for them. At this stage, they receive more of the underlying than was originally used to create the LPs.

Solidity signature verification checklist : - Check if the returned public key matches expected public key.
- Check if the Signature has not already been used (use nonce) - Check if the signature is intended for the specific blockchain you are executing the smart contract on. This can be checked using the chainId (Relevant only for contracts deployed on multiple EVM chains) - Check if the Signature is used from the right person (if not everyone should be able to use it)
- Check if the deadline is not expired (if it is not needed that the signature is working forever)
Here is a good article that teaches about signatures: https://medium.com/coinmonks/ethereum-signatures-for-hackers-and-auditors-101-4da766cd6344 @EthSecurity1

- On September 4th, 2024, (CUT token) was exploited and lost ~$1.4 million.

To learn more about the incident, read full analysis here 👇 https://www.certik.com/resources/blog/caterpillar-coin-cut-token-incident-analysis
- On September 11th, 2024,
The exploiter transferred various asset tokens (~$20M) from several hot indodax wallet addresses.

eth/pol: 0x3C02290922a3618A4646E3BbCa65853eA45FE7C6
tron: TWe5pEnPDetzxgJS4uN26VFg15wWtdcTXc
btc: 1JUToCyRL5UwgeucjnFAagKs4v1YqhjT1d

@EthSecurity1

The L2 DAI deployer for DAI vanity addresses has been compromised, as it was generated by the vulnerable Profanity tool. All networks other than Optimism and Arbitrum are at risk, as the attacker can create honeypots with the same address. - 𝕏/@godsflaw

Delta Prime @DeltaPrimeDefi admin private key leaked. All pools are drained. $11M loss already. Withdraw ASAP!

Details of the hack:

A hacker gained control of 0xx40e4ff9e018462ce71fa34abdfa27b8c5e2b1afb, which is the admin of proxies. Then, the hacker upgraded the proxies to point to malicious contract 0xD4CA224a176A59ed1a346FA86C3e921e01659E73.

This malicious contract can inflate the deposited amount of the hacker on all pools.
@EthSecurity1

Basebrosfi rugged users
https://cointelegraph.com/news/basebros-fi-defi-rug-pull-smart-contract-base
@EthSecurity1

We passed 4000 subscribers
Thanks mates