Banana Gun user wallets have been compromised and drained
@EthSecurity1

Seems bingx CEX been drained
@Ethsecurity1

-The Hidden Risks of Hash Functions: Length Extension -- Attacks and Server-Side Security Vulnerabilities - Exploring Risks of On-Chain Options Exchanges: Part 1,2 @EthSecurity1

CharismaBtc hack post-mortem
183k $stx loss https://exvul.com/a-new-attack-on-bitcoin-defi/
@EthSecurity1

Binance data leak https://twitter.com/PabloSabbatella/status/1838238994091413994

this is old but interesting, if users in berachain blockchain send msg.value less than the amount they set, the MultiSwap contract (the router) will use BERA tokens it holds, which are small and isolated from the pools’ assets. https://x.com/dvzhangtz/status/1815771395328225361 this was patched by a white hat @EthSecurity

The ether.fi frontend has been compromised!
@EthSecurity1

- Rounding Errors For Auditors - Ethereum Transfers Heatmap
Observe hidden patterns in token transfers - Balancer Rounding Error Bugfix Review - Not Your Stdout Bug - RCE in Cosmos SDK
@EthSecurity1

unverified contract lost 140$ k https://nickfranklin.site/2024/09/25/unverified-contract0xff2481-hacked-by-reentrancy-attack/ @EthSecurity1

*critical* issue on Bedrock protocol.

The issue was exploited some hours later, but damage was contained.

Vulnerability was in minting uniBTC, a ~$75m asset (on Ethereum alone, plus much more on 8+ other chains).


Issue: Exploiter could mint 1unibtc with 1ether
BTC has 8 decimals, ETH has 18 decimals. If you send 1 ETH you get many times more than 1 BTC. There's not even price conversion involved, since in reality 1 BTC =~ 30 ETH.
@EthSecurity1

Web3 Ping of Death: Finding and Fixing a Chain-Halting Vulnerability in NEAR In December of 2023, Zellic's found a bug in NEAR's blockchain node. @EthSecurity1

https://github.com/marchev/security-reviews/blob/main/Flux-Security-Review-September-2024.pdf @EthSecurity1

https://mirror.xyz/0xF3c0C25090ae1458FC152947Aab57253cB8E0F0F/7dqKrAfS20rr3m_zuCwN80lChYTB0Cniie5IrdiC9ZQ First, tokens must be registered to be included in the current total balance of native or wrapped BTC tokens. Second, if a token is not registered, the contract returns 0, meaning it cannot be found in the tokenHolders variable. The following figure shows that only FBTC, WBTC, and cbBTC have been registered, while NATIVE_BTC has NOT. On one hand, NATIVE_BTC should NOT be registered in this contract, as it is not intended to be supported. On the other hand, failing to register NATIVE_BTC results in the totalSupply always being ZERO, which contradicts the caps restriction mechanism.

Since the total supply at that time was ZERO instead of reflecting the msg.value received by the contract, the check the Vault contract passed, allowing the minting of uniBTC using native tokens on non-native BTC chains.

Therefore, on a non-native BTC chain, replacing the balance with the total supply is acceptable for wrapped BTC tokens but problematic for native tokens.

@EthSecurity1

- 20 Common Solidity Beginner Mistakes - Try Catch and all the ways Solidity can revert @EthSecurity1

New phishing trick in Microsoft store https://x.com/LehmannLorenz/status/1841545179825942991
@EthSecurity1

complete curve audit https://github.com/mixbytes/audits_public/tree/master/Curve%20Finance @EthSecurity1

"We have developed Web3AuthChecker, a dynamic detection tool that interacts with Web3 authentication-related APIs to identify vulnerabilities.

Our evaluation of real-world Web3 applications shows that a staggering 75.8% (22/29) of Web3 authentication deployments are at risk of blind message attacks." https://arxiv.org/pdf/2406.00523 @EthSecurity1

eigenlayer : In an isolated incident this morning, an email thread involving one investor’s transfer of tokens into custody was compromised by a malicious attacker.

As a result, 1,673,645 EIGEN tokens were erroneously transferred to the attacker’s address. The attacker sold these stolen EIGEN tokens via a decentralized swap platform and transferred stablecoins to centralized exchanges. We are in contact with these platforms and law enforcement. A portion of the funds have already been frozen.

The compromise has not impacted the broader ecosystem. There is no known vulnerability in the protocol or token contracts and this compromise was not related to any onchain functionality.

We continue to investigate the situation and will be posting further information once we have it. @EthSecurity1