Solidity signature verification checklist : - Check if the returned public key matches expected public key.
- Check if the Signature has not already been used (use nonce) - Check if the signature is intended for the specific blockchain you are executing the smart contract on. This can be checked using the chainId (Relevant only for contracts deployed on multiple EVM chains) - Check if the Signature is used from the right person (if not everyone should be able to use it)
- Check if the deadline is not expired (if it is not needed that the signature is working forever)
Here is a good article that teaches about signatures: https://medium.com/coinmonks/ethereum-signatures-for-hackers-and-auditors-101-4da766cd6344 @EthSecurity1
- Check if the Signature has not already been used (use nonce) - Check if the signature is intended for the specific blockchain you are executing the smart contract on. This can be checked using the chainId (Relevant only for contracts deployed on multiple EVM chains) - Check if the Signature is used from the right person (if not everyone should be able to use it)
- Check if the deadline is not expired (if it is not needed that the signature is working forever)
Here is a good article that teaches about signatures: https://medium.com/coinmonks/ethereum-signatures-for-hackers-and-auditors-101-4da766cd6344 @EthSecurity1
Medium
Ethereum signatures for hackers and auditors 101
In real world you can sign documents using your personal signature, which is assumed to be unique and proves that you support, acknowledge…
🔥6⚡2👏1
- On September 4th, 2024, (CUT token) was exploited and lost ~$1.4 million.
To learn more about the incident, read full analysis here 👇 https://www.certik.com/resources/blog/caterpillar-coin-cut-token-incident-analysis
- On September 11th, 2024,
The exploiter transferred various asset tokens (~$20M) from several hot indodax wallet addresses.
eth/pol: 0x3C02290922a3618A4646E3BbCa65853eA45FE7C6
tron: TWe5pEnPDetzxgJS4uN26VFg15wWtdcTXc
btc: 1JUToCyRL5UwgeucjnFAagKs4v1YqhjT1d
@EthSecurity1
To learn more about the incident, read full analysis here 👇 https://www.certik.com/resources/blog/caterpillar-coin-cut-token-incident-analysis
- On September 11th, 2024,
The exploiter transferred various asset tokens (~$20M) from several hot indodax wallet addresses.
eth/pol: 0x3C02290922a3618A4646E3BbCa65853eA45FE7C6
tron: TWe5pEnPDetzxgJS4uN26VFg15wWtdcTXc
btc: 1JUToCyRL5UwgeucjnFAagKs4v1YqhjT1d
@EthSecurity1
Certik
CUT Token Incident Analysis - CertiK
On 10th September, 2024, Caterpillar Coin ($CUT token) suffered a flashloan attack resulting in a loss of ~$1.4M and causing a 99% slippage on the token. The attack exploited vulnerabilities in the ‘price protection mechanisms’, which led to the manipulation…
👍2
The L2 DAI deployer for DAI vanity addresses has been compromised, as it was generated by the vulnerable Profanity tool. All networks other than Optimism and Arbitrum are at risk, as the attacker can create honeypots with the same address. - 𝕏/@godsflaw
Delta Prime @DeltaPrimeDefi admin private key leaked. All pools are drained. $11M loss already. Withdraw ASAP!
Details of the hack:
A hacker gained control of 0xx40e4ff9e018462ce71fa34abdfa27b8c5e2b1afb, which is the admin of proxies. Then, the hacker upgraded the proxies to point to malicious contract 0xD4CA224a176A59ed1a346FA86C3e921e01659E73.
This malicious contract can inflate the deposited amount of the hacker on all pools.
@EthSecurity1
Details of the hack:
A hacker gained control of 0xx40e4ff9e018462ce71fa34abdfa27b8c5e2b1afb, which is the admin of proxies. Then, the hacker upgraded the proxies to point to malicious contract 0xD4CA224a176A59ed1a346FA86C3e921e01659E73.
This malicious contract can inflate the deposited amount of the hacker on all pools.
@EthSecurity1
🔥6
Basebrosfi rugged users
https://cointelegraph.com/news/basebros-fi-defi-rug-pull-smart-contract-base
@EthSecurity1
https://cointelegraph.com/news/basebros-fi-defi-rug-pull-smart-contract-base
@EthSecurity1
Cointelegraph
Base DeFi project disappears after rug pull
BaseBros Fi, a DeFi protocol on Base blockchain, vanishes after orchestrating a rug pull via an unaudited smart contract, stealing $130,000 of user funds.
🔥4😱1
seems Ethena frontend compromised. Please stay away and do not interact with it
@EthSecurity1
@EthSecurity1
🔥3
- This is the fundamental stuff that you will need on your journey as an auditor. - damn-vulnerable-defi-v4-solutions
Public by sunsec
https://github.com/SunWeb3Sec/damn-vulnerable-defi-v4-solutions @EthSecurity1
Public by sunsec
https://github.com/SunWeb3Sec/damn-vulnerable-defi-v4-solutions @EthSecurity1
❤2🤩2
Banana Gun user wallets have been compromised and drained
@EthSecurity1
@EthSecurity1
🤯4🔥1😢1
-The Hidden Risks of Hash Functions: Length Extension -- Attacks and Server-Side Security Vulnerabilities - Exploring Risks of On-Chain Options Exchanges: Part 1,2 @EthSecurity1
Medium
The Hidden Risks of Hash Functions: Length Extension Attacks and Server-Side Security…
Introduction
🔥5
CharismaBtc hack post-mortem
183k $stx loss https://exvul.com/a-new-attack-on-bitcoin-defi/
@EthSecurity1
183k $stx loss https://exvul.com/a-new-attack-on-bitcoin-defi/
@EthSecurity1
EXVUL
A new attack on bitcoin defi protocol
(CharismaBTC hack incident analysis) 1.BACKGORUND This […]
Binance data leak https://twitter.com/PabloSabbatella/status/1838238994091413994
🔥2😱1
this is old but interesting, if users in berachain blockchain send msg.value less than the amount they set, the MultiSwap contract (the router) will use BERA tokens it holds, which are small and isolated from the pools’ assets. https://x.com/dvzhangtz/status/1815771395328225361 this was patched by a white hat @EthSecurity
X (formerly Twitter)
Frank-Zhang.eth (@dvzhangtz) on X
🚨 Urgent Security Alert for @Berachain 🚨
A critical security vulnerability in Berachain that could potentially drain all liquidity pools !!!
As a dedicated blockchain developer, I've come across a critical security vulnerability in Berachain that could…
A critical security vulnerability in Berachain that could potentially drain all liquidity pools !!!
As a dedicated blockchain developer, I've come across a critical security vulnerability in Berachain that could…
🔥2
unverified contract lost 140$ k https://nickfranklin.site/2024/09/25/unverified-contract0xff2481-hacked-by-reentrancy-attack/ @EthSecurity1
👍6
*critical* issue on Bedrock protocol.
The issue was exploited some hours later, but damage was contained.
Vulnerability was in minting uniBTC, a ~$75m asset (on Ethereum alone, plus much more on 8+ other chains).
Issue: Exploiter could mint 1unibtc with 1ether
BTC has 8 decimals, ETH has 18 decimals. If you send 1 ETH you get many times more than 1 BTC. There's not even price conversion involved, since in reality 1 BTC =~ 30 ETH.
@EthSecurity1
The issue was exploited some hours later, but damage was contained.
Vulnerability was in minting uniBTC, a ~$75m asset (on Ethereum alone, plus much more on 8+ other chains).
Issue: Exploiter could mint 1unibtc with 1ether
BTC has 8 decimals, ETH has 18 decimals. If you send 1 ETH you get many times more than 1 BTC. There's not even price conversion involved, since in reality 1 BTC =~ 30 ETH.
@EthSecurity1
👍4
Web3 Ping of Death: Finding and Fixing a Chain-Halting Vulnerability in NEAR In December of 2023, Zellic's found a bug in NEAR's blockchain node. @EthSecurity1
www.zellic.io
Web3 Ping of Death: Finding and Fixing a Chain-Halting Vulnerability in NEAR | Zellic — Research
A look into how Zellic identified and helped fix a vulnerability in NEAR Protocol
👍1