- Aztec Multiple-Spend Error Bugfix Review - Alchemix Missing Solvency Check Bugfix Review - CurveFinance price anomaly - Defi fork bugs @EthSecurity1
Medium
Aztec Multiple-Spend Error Bugfix Review
On September 12th, 2023, the security researcher LonelySloth responsibly disclosed a Critical severity vulnerability from the Aztec Networkβ¦
π3
- A detailed write-up Fuel critical vulnerability Immunefi Attackathon, 150 $k paid - An exploration of low-level Solana VM behavior. How to escalate from a powerful memory corruption primitive to full program control. - Foundry tips @EthSecurity1
GitHub
GitHub - minato7namikazi/Fuel-Blockchain-Critical-Vulnerability: A detailed write-up of a solo critical vulnerability discoveredβ¦
A detailed write-up of a solo critical vulnerability discovered during the Immunefi Attackathon, before the mainnet launch - minato7namikazi/Fuel-Blockchain-Critical-Vulnerability
π₯10
BGM TOKEN. The reward logic can reduce the token in LP, leading to price inflation when there is limited token in the LP. loss : 500k $ hack trx: https://app.blocksec.com/explorer/tx/bsc/0x8580825008800b9e13266f40b41a838a521e4d0bb4abc1cb78684253b7bc9fd1?line=26&debugLine=26 @EthSecurity1
β€3
deltaprime incident The exploit is made possible due to the lack of input validation in claiming possible rewards. Specifically, the exploiter provides an evil pair in order to change the collateral asset into reward asset. By doing so, the initial collateral to borrow funds can be stolen out while leaving the debt unpaid.
the exploiter has added liquidity (~$1.3M) to #LFJ (formerly Trader Joe) & farmed $USDC on #Stargate @EthSecurity1
the exploiter has added liquidity (~$1.3M) to #LFJ (formerly Trader Joe) & farmed $USDC on #Stargate @EthSecurity1
β€5
thala was hacked for 25 m$ but seal911 exposed hacker identity and he accepted 300 k$ bounty. rootcause: https://x.com/moon_shiesty/status/1857886309580157260 @EthSecurity1
X (formerly Twitter)
moon shiesty (@moonshiesty) on X
here's a timeline and technical explanation of the @ThalaLabs exploit:
first the exploiter funded their account with 10 APT from bybit
first the exploiter funded their account with 10 APT from bybit
π₯7
seems polterfinance hacked
$polter exploited more than 7 m$ when they added the new $BOO market on fantom blockchain. root cause: The price oracle relies on the SpookySwap V2/V3 pool of BOO token and is easily manipulated through a quick flashloan. @EthSecurity1
$polter exploited more than 7 m$ when they added the new $BOO market on fantom blockchain. root cause: The price oracle relies on the SpookySwap V2/V3 pool of BOO token and is easily manipulated through a quick flashloan. @EthSecurity1
β‘5π₯2
CoinPoker hacked for 2 m$. seems custodian service compromised. @EthSecurity1
π₯5
DCF token hacked because of wrong transfer logic.
In "transfer" function, if target address is pancake pair, it exchanges 5% of tokens to USDT and adds liquidity to DCT-USDT pancake pair. This can be used for exploit. Hacker borrowed a huge amount of USDT and exchanged them to DCF and DCT. After that he transferred some of DCF to pancake pair. Liquidity added and he exchanged DCT to USDT again, gained 600k more USDT. Also, because of unnecessary burn functionality, pancake pair lost almost all DCF tokens. Developers, be careful when making new transfer logic, it should be audited. https://app.blocksec.com/explorer/tx/bsc/0xb375932951c271606360b6bf4287d080c5601f4f59452b0484ea6c856defd6fd @EthSecurity1
In "transfer" function, if target address is pancake pair, it exchanges 5% of tokens to USDT and adds liquidity to DCT-USDT pancake pair. This can be used for exploit. Hacker borrowed a huge amount of USDT and exchanged them to DCF and DCT. After that he transferred some of DCF to pancake pair. Liquidity added and he exchanged DCT to USDT again, gained 600k more USDT. Also, because of unnecessary burn functionality, pancake pair lost almost all DCF tokens. Developers, be careful when making new transfer logic, it should be audited. https://app.blocksec.com/explorer/tx/bsc/0xb375932951c271606360b6bf4287d080c5601f4f59452b0484ea6c856defd6fd @EthSecurity1
π₯4β‘1π1
GFT was recently delisted by Binance, and now they're minting over 1 billion tokens and dumping them on exchanges lol
https://bscscan.com/token/0x72ff5742319ef07061836f5c924ac6d72c919080?a=0x0000000000000000000000000000000000000000 @EthSecurity1
https://bscscan.com/token/0x72ff5742319ef07061836f5c924ac6d72c919080?a=0x0000000000000000000000000000000000000000 @EthSecurity1
BNB Smart Chain Explorer
Gifto (GFT) | BEP-20 | Address: 0x72ff5742...72c919080 | BscScan
Token Rep: Neutral | Price: $0.0001 | Onchain Market Cap: $223,840.71 | Holders: 14,650 | As at Feb-06-2026 09:42:05 PM (UTC)
π4π3
Forwarded from Vladimir S. | Officer's Channel (Vladimir S. | officercia)
Clipper DEX is hacked due to API vulnerability (like private key leak). $500K+ loss and $6.5M at risk right now. Withdraw immediately.
β’ https://x.com/officer_cia/status/1863108671221157985
#security #alert
β’ https://x.com/officer_cia/status/1863108671221157985
#security #alert
X (formerly Twitter)
Vladimir S. | Officer's Notes (@officer_secret) on X
Clipper Exchange @Clipper_DEX is hacked due to API vulnerability (like private key leak). $500K+ loss and $6.5M at risk right now. Withdraw immediately. - @fried_rice
- Past Permissions, Present Problems: Analysis of Theft through Authorized Malicious Contracts - Cryptographic Asymmetry and How To Shut Down A Cosmos-Ethereum Bridge - SoK: Security of Cross-chain Bridges: Attack Surfaces, Defenses, and Open Problems @EthSecurity1
Medium
Past Permissions, Present Problems: Analysis of Theft through Authorized Malicious Contracts
Background
π₯4
Forwarded from Daily Security
Malware in the @solana/web3.js
Seen some similar cases of npm takeover in the past. Be carefulπ«
https://x.com/anza_xyz/status/1864085236432134264?s=46
Linkedin post
Seen some similar cases of npm takeover in the past. Be carefulπ«
https://x.com/anza_xyz/status/1864085236432134264?s=46
Linkedin post
π₯3π€―2β€1π1π1
- Permission denied - The story of an EIP that sinned - Beanstalk Insufficient Input Validation Bugfix - What Are Elliptic Curve Pairings @EthSecurity1
Trust Security
Permission denied - The story of an EIP that sinned
On 24/08 Trust Security disclosed a variety of DOS issues to 30+ projects through Immunefi and private bug bounty programs. In total $50k from 15 projects were paid out. We'll start with a technical description of the issue for those of you who like to getβ¦
β€2π1
Vestra Dao hacked. 73 m $vstr stolen. Root cause: there's no code for remove user staking info, this means anyone who staked some amount can unstake several times. Hacker just called "unStake" several times @EthSecurity1
π10π1π€―1π¨1
Users lost millions due to AlpacaFinance
allegedly using manual CoinGecko price updates instead of real oracles. When questioned, they asked "which faster oracle would you have used?" https://rekt.news/false-prophet/ @EthSecurity1
allegedly using manual CoinGecko price updates instead of real oracles. When questioned, they asked "which faster oracle would you have used?" https://rekt.news/false-prophet/ @EthSecurity1
rekt
Rekt - False Prophet
DeFi / Crypto - Alpaca Finance lost millions by allegedly using manual CoinGecko price updates instead of real oracles. When questioned, they asked "which faster oracle would you have used?" Turns out F5 isn't a reliable price feed. Who knew?
π4π€―3π±1
Forwarded from Vladimir S. | Officer's Channel (Vladimir S. | officercia)
Use this list of fantastic telegram channels I've put together in order to discover them as your own personal Web3-Google!
Link: t.me/addlist/uesom31GM1I4Yjgy
Feel free to use this folder to onboard your non-web3 friends to Web3, as the majority of the channels are maintained by independent researchers. There are also additional channels for news, CT reviews, and more!
A small tip to subscribooors: if you find a channel interesting, move it out of the folder into your main list of chats. That way youβll view content youβre interested in more often, and channels get more views instead of just subscribers!
#crypto #web3
Link: t.me/addlist/uesom31GM1I4Yjgy
Feel free to use this folder to onboard your non-web3 friends to Web3, as the majority of the channels are maintained by independent researchers. There are also additional channels for news, CT reviews, and more!
A small tip to subscribooors: if you find a channel interesting, move it out of the folder into your main list of chats. That way youβll view content youβre interested in more often, and channels get more views instead of just subscribers!
#crypto #web3
β€5π―1
web3-sec.gitbook.io
Preface | Art Of Auditing
π₯7β€5π€¬1