EthSecurity
*critical* issue on Bedrock protocol. The issue was exploited some hours later, but damage was contained. Vulnerability was in minting uniBTC, a ~$75m asset (on Ethereum alone, plus much more on 8+ other chains). Issue: Exploiter could mint 1unibtc with…
https://mirror.xyz/0xF3c0C25090ae1458FC152947Aab57253cB8E0F0F/7dqKrAfS20rr3m_zuCwN80lChYTB0Cniie5IrdiC9ZQ First, tokens must be registered to be included in the current total balance of native or wrapped BTC tokens. Second, if a token is not registered, the contract returns 0, meaning it cannot be found in the tokenHolders variable. The following figure shows that only FBTC, WBTC, and cbBTC have been registered, while NATIVE_BTC has NOT. On one hand, NATIVE_BTC should NOT be registered in this contract, as it is not intended to be supported. On the other hand, failing to register NATIVE_BTC results in the totalSupply always being ZERO, which contradicts the caps restriction mechanism.
Since the total supply at that time was ZERO instead of reflecting the msg.value received by the contract, the check the Vault contract passed, allowing the minting of uniBTC using native tokens on non-native BTC chains.
Therefore, on a non-native BTC chain, replacing the balance with the total supply is acceptable for wrapped BTC tokens but problematic for native tokens.
@EthSecurity1
Since the total supply at that time was ZERO instead of reflecting the msg.value received by the contract, the check the Vault contract passed, allowing the minting of uniBTC using native tokens on non-native BTC chains.
Therefore, on a non-native BTC chain, replacing the balance with the total supply is acceptable for wrapped BTC tokens but problematic for native tokens.
@EthSecurity1
👍2
- 20 Common Solidity Beginner Mistakes - Try Catch and all the ways Solidity can revert @EthSecurity1
rareskills.io
20 Common Solidity Beginner Mistakes | RareSkills
20 Common Solidity Beginner Mistakes Our intent is not to be patronizing towards developers early in their journey with this article. Having reviewed code from numerous Solidity developers, we’ve...
👍5
New phishing trick in Microsoft store https://x.com/LehmannLorenz/status/1841545179825942991
@EthSecurity1
@EthSecurity1
👍2
"We have developed Web3AuthChecker, a dynamic detection tool that interacts with Web3 authentication-related APIs to identify vulnerabilities.
Our evaluation of real-world Web3 applications shows that a staggering 75.8% (22/29) of Web3 authentication deployments are at risk of blind message attacks." https://arxiv.org/pdf/2406.00523 @EthSecurity1
Our evaluation of real-world Web3 applications shows that a staggering 75.8% (22/29) of Web3 authentication deployments are at risk of blind message attacks." https://arxiv.org/pdf/2406.00523 @EthSecurity1
👍1
eigenlayer : In an isolated incident this morning, an email thread involving one investor’s transfer of tokens into custody was compromised by a malicious attacker.
As a result, 1,673,645 EIGEN tokens were erroneously transferred to the attacker’s address. The attacker sold these stolen EIGEN tokens via a decentralized swap platform and transferred stablecoins to centralized exchanges. We are in contact with these platforms and law enforcement. A portion of the funds have already been frozen.
The compromise has not impacted the broader ecosystem. There is no known vulnerability in the protocol or token contracts and this compromise was not related to any onchain functionality.
We continue to investigate the situation and will be posting further information once we have it. @EthSecurity1
As a result, 1,673,645 EIGEN tokens were erroneously transferred to the attacker’s address. The attacker sold these stolen EIGEN tokens via a decentralized swap platform and transferred stablecoins to centralized exchanges. We are in contact with these platforms and law enforcement. A portion of the funds have already been frozen.
The compromise has not impacted the broader ecosystem. There is no known vulnerability in the protocol or token contracts and this compromise was not related to any onchain functionality.
We continue to investigate the situation and will be posting further information once we have it. @EthSecurity1
👍2
Unverified contract lost $280k due to sandwich attack.There's a function that can be used for swapping WBNB to EGA token in victim contract. This function has no access control, anyone can call this function with only 1 wei. This is vulnerable to
https://app.blocksec.com/explorer/tx/bsc/0xece4a4ac46660618ecee43826fc6f89fe4beaef87ca5e5786f763892b48bc999
https://app.blocksec.com/explorer/tx/bsc/0xece4a4ac46660618ecee43826fc6f89fe4beaef87ca5e5786f763892b48bc999
Blocksec
0xece4a4ac46660618ec | Phalcon Explorer
Security suite for Protocols, Developers, LPs, & Traders - safeguarding your blockchain journey
🔥3
- Retrospecting Arbitrary Position Cancellation Vulnerability in Perpetual Protocol - Upgradeable Smart Contracts (USCs): Exploring The Concept And Security Risks @EthSecurity1
Medium
Retrospecting Arbitrary Position Cancellation Vulnerability in Perpetual Protocol
In July 2022, ChainLight identified and reported a vulnerability caused by lock of authorization in cancelling positions.
An unknown project lost about 85k(about 150 BNB) https://bscscan.com/address/0x3c4e4fbc17a7caa22570e54b57ba42cf053a777a @EthSecurity1
👍1
- Characterizing Cryptocurrency-themed Malicious Browser Extensions. - An Empirical Study of Smart Contract Decompilers
@EthSecurity1
@EthSecurity1
Proceedings of the ACM on Measurement and Analysis of Computing Systems
Characterizing Cryptocurrency-themed Malicious Browser Extensions | Proceedings of the ACM on Measurement and Analysis of Computing…
Due to the surging popularity of various cryptocurrencies in recent years, a large
number of browser extensions have been developed as portals to access relevant services,
such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of…
number of browser extensions have been developed as portals to access relevant services,
such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of…
🔥3
he claimed FBI wallets doxxed https://x.com/jconorgrogan/status/1844121150676218100 @EthSecurity1
realy exited for OZ movement : ) https://x.com/0xCygaar/status/1844188445691822136 @EthSecurity1
fwdETH phishing attack and loss 35 $million https://www.binance.com/en-TR/square/post/2024-10-11-fwdeth-price-plummets-after-35-million-theft-incident-14711617819490 @EthSecurity1
Binance Square
FwDETH Price Plummets After $35 Million Theft Incident
According to BlockBeats, earlier today, the price of fwDETH, a wrapped ETH token on the Blast chain, experienced a significant drop following a theft incident involving $35 million worth of fwDETH. Th
- A deep dive into the main components of ERC-4337: Account Abstraction Using Alt Mempool — part1, Part 2
- OWASP Smart Contract Security
@EthSecurity1
- OWASP Smart Contract Security
@EthSecurity1
Medium
A deep dive into the main components of ERC-4337: Account Abstraction Using Alt Mempool — Part 1
Account abstraction has been a highly desired feature within the Ethereum developer community for years, and it is seen by many as a…
👍3