- SEAL911 crisis handbook - DAO Governance DeFi Attacks @EthSecurity1

$150,000 Evmos Vulnerability Through Reading Documentation
https://medium.com/@jjordanjjordan/150-000-evmos-vulnerability-through-reading-documentation-d26328590a7a [12 hours] Ethereum code line-by-line
https://youtu.be/gPQ-uXj03iQ?feature=shared @EthSecurity1

Use this list of fantastic telegram channels I've put together in order to discover them as your own personal Web3-Google!

Feel free to use this folder to onboard your non-web3 friends to Web3, as the majority of the channels are maintained by independent researchers. There are also additional channels for news, CT reviews, and more!

A small tip to subscribooors: if you find a channel interesting, move it out of the folder into your main list of chats. That way you’ll view content you’re interested in more often, and channels get more views instead of just subscribers!

- Aztec Multiple-Spend Error Bugfix Review - Alchemix Missing Solvency Check Bugfix Review - CurveFinance price anomaly - Defi fork bugs @EthSecurity1

- A detailed write-up Fuel critical vulnerability Immunefi Attackathon, 150 $k paid - An exploration of low-level Solana VM behavior. How to escalate from a powerful memory corruption primitive to full program control. - Foundry tips @EthSecurity1

BGM TOKEN. The reward logic can reduce the token in LP, leading to price inflation when there is limited token in the LP. loss : 500k $ hack trx: https://app.blocksec.com/explorer/tx/bsc/0x8580825008800b9e13266f40b41a838a521e4d0bb4abc1cb78684253b7bc9fd1?line=26&debugLine=26 @EthSecurity1

thala was hacked for 25 m$ but seal911 exposed hacker identity and he accepted 300 k$ bounty. rootcause: https://x.com/moon_shiesty/status/1857886309580157260 @EthSecurity1

seems polterfinance hacked
$polter exploited more than 7 m$ when they added the new $BOO market on fantom blockchain. root cause: The price oracle relies on the SpookySwap V2/V3 pool of BOO token and is easily manipulated through a quick flashloan. @EthSecurity1

CoinPoker hacked for 2 m$. seems custodian service compromised. @EthSecurity1

- solidity Audit challenges - Exploring Finality Risks of Ethereum L2 From a CEX Perspective - Smart Contracts | Tale of Little Bugs @EthSecurity1

DCF token hacked because of wrong transfer logic.

In "transfer" function, if target address is pancake pair, it exchanges 5% of tokens to USDT and adds liquidity to DCT-USDT pancake pair. This can be used for exploit. Hacker borrowed a huge amount of USDT and exchanged them to DCF and DCT. After that he transferred some of DCF to pancake pair. Liquidity added and he exchanged DCT to USDT again, gained 600k more USDT. Also, because of unnecessary burn functionality, pancake pair lost almost all DCF tokens. Developers, be careful when making new transfer logic, it should be audited. https://app.blocksec.com/explorer/tx/bsc/0xb375932951c271606360b6bf4287d080c5601f4f59452b0484ea6c856defd6fd @EthSecurity1

GFT was recently delisted by Binance, and now they're minting over 1 billion tokens and dumping them on exchanges lol
https://bscscan.com/token/0x72ff5742319ef07061836f5c924ac6d72c919080?a=0x0000000000000000000000000000000000000000 @EthSecurity1

Clipper DEX is hacked due to API vulnerability (like private key leak). $500K+ loss and $6.5M at risk right now. Withdraw immediately.

• https://x.com/officer_cia/status/1863108671221157985

#security #alert

- Past Permissions, Present Problems: Analysis of Theft through Authorized Malicious Contracts - Cryptographic Asymmetry and How To Shut Down A Cosmos-Ethereum Bridge - SoK: Security of Cross-chain Bridges: Attack Surfaces, Defenses, and Open Problems @EthSecurity1

Malware in the @solana/web3.js
Seen some similar cases of npm takeover in the past. Be careful💫

https://x.com/anza_xyz/status/1864085236432134264?s=46

Linkedin post

- Permission denied - The story of an EIP that sinned - Beanstalk Insufficient Input Validation Bugfix - What Are Elliptic Curve Pairings @EthSecurity1

Vestra Dao hacked. 73 m $vstr stolen. Root cause: there's no code for remove user staking info, this means anyone who staked some amount can unstake several times. Hacker just called "unStake" several times @EthSecurity1

Users lost millions due to AlpacaFinance
allegedly using manual CoinGecko price updates instead of real oracles. When questioned, they asked "which faster oracle would you have used?" https://rekt.news/false-prophet/ @EthSecurity1

Use this list of fantastic telegram channels I've put together in order to discover them as your own personal Web3-Google!

Link: t.me/addlist/uesom31GM1I4Yjgy

Feel free to use this folder to onboard your non-web3 friends to Web3, as the majority of the channels are maintained by independent researchers. There are also additional channels for news, CT reviews, and more!

A small tip to subscribooors: if you find a channel interesting, move it out of the folder into your main list of chats. That way you’ll view content you’re interested in more often, and channels get more views instead of just subscribers!

#crypto #web3