- Permission denied - The story of an EIP that sinned - Beanstalk Insufficient Input Validation Bugfix - What Are Elliptic Curve Pairings @EthSecurity1
Trust Security
Permission denied - The story of an EIP that sinned
On 24/08 Trust Security disclosed a variety of DOS issues to 30+ projects through Immunefi and private bug bounty programs. In total $50k from 15 projects were paid out. We'll start with a technical description of the issue for those of you who like to getβ¦
β€2π1
Vestra Dao hacked. 73 m $vstr stolen. Root cause: there's no code for remove user staking info, this means anyone who staked some amount can unstake several times. Hacker just called "unStake" several times @EthSecurity1
π10π1π€―1π¨1
Users lost millions due to AlpacaFinance
allegedly using manual CoinGecko price updates instead of real oracles. When questioned, they asked "which faster oracle would you have used?" https://rekt.news/false-prophet/ @EthSecurity1
allegedly using manual CoinGecko price updates instead of real oracles. When questioned, they asked "which faster oracle would you have used?" https://rekt.news/false-prophet/ @EthSecurity1
rekt
Rekt - False Prophet
DeFi / Crypto - Alpaca Finance lost millions by allegedly using manual CoinGecko price updates instead of real oracles. When questioned, they asked "which faster oracle would you have used?" Turns out F5 isn't a reliable price feed. Who knew?
π4π€―3π±1
Forwarded from Vladimir S. | Officer's Channel (Vladimir S. | officercia)
Use this list of fantastic telegram channels I've put together in order to discover them as your own personal Web3-Google!
Link: t.me/addlist/uesom31GM1I4Yjgy
Feel free to use this folder to onboard your non-web3 friends to Web3, as the majority of the channels are maintained by independent researchers. There are also additional channels for news, CT reviews, and more!
A small tip to subscribooors: if you find a channel interesting, move it out of the folder into your main list of chats. That way youβll view content youβre interested in more often, and channels get more views instead of just subscribers!
#crypto #web3
Link: t.me/addlist/uesom31GM1I4Yjgy
Feel free to use this folder to onboard your non-web3 friends to Web3, as the majority of the channels are maintained by independent researchers. There are also additional channels for news, CT reviews, and more!
A small tip to subscribooors: if you find a channel interesting, move it out of the folder into your main list of chats. That way youβll view content youβre interested in more often, and channels get more views instead of just subscribers!
#crypto #web3
β€5π―1
web3-sec.gitbook.io
Preface | Art Of Auditing
π₯7β€5π€¬1
sorra staking lost 43 k$. why? because of in every withdraw userRewardDistributed increasing. hacker withdraw 1wei multiple time. https://app.blocksec.com/explorer/tx/eth/0x6439d63cc57fb68a32ea8ffd8f02496e8abad67292be94904c0b47a4d14ce90d @EthSecurity1
π₯8β€1π«‘1
unilend exploited 197.6 $k. https://etherscan.io/tx/0x44037ffc0993327176975e08789b71c1058318f48ddeff25890a577d6555b6ba @EthSecurity1
π7
- Blockchain Bribing Attacks and the Efficacy of Counterincentives. - Undetectable Selfish Mining
- Bribe & Fork: Cheap Bribing Attacks via Forking Threat
- Optimism superchain audit report
@EthSecurity1
- Bribe & Fork: Cheap Bribing Attacks via Forking Threat
- Optimism superchain audit report
@EthSecurity1
arXiv.org
Blockchain Bribing Attacks and the Efficacy of Counterincentives
We analyze bribing attacks in Proof-of-Stake distributed ledgers from a game theoretic perspective. In bribing attacks, an adversary offers participants a reward in exchange for instructing them...
π8
odosprotocol on ETH and Base, hacked for ~$50k . The root cause is arbitrary call vulnerability. attack tx: https://app.blocksec.com/explorer/tx/base/0xd10faa5b33ddb501b1dc6430896c966048271f2510ff9ed681dd6d510c5df9f6 @EthSecurity1
π₯3π1
- Generating unit tests from broken stateful invariant tests - The Fuzzing Book: Tools and Techniques for Generating Software Tests @EthSecurity1
Substack
Generating unit tests from broken stateful invariant tests
In this post, we analyze different solutions to generate unit tests from broken stateful invariant tests
π4
Forwarded from Vladimir S. | Officer's Channel (Vladimir S. | officercia)
DeepSeek has been hacked: all of their data in the public domain - secret keys, unencrypted chats, logs, and even the backend.
Researchers from wiz.io were performing a normal infrastructure check when they unintentionally uncovered a database that is fully open, allowing anyone to obtain access.
I cannot confirm or deny their conclusions at this time. But I think it's interesting enough news to share: x.com/officer_cia/status/1884740598579540060
#ai #news #security
Researchers from wiz.io were performing a normal infrastructure check when they unintentionally uncovered a database that is fully open, allowing anyone to obtain access.
I cannot confirm or deny their conclusions at this time. But I think it's interesting enough news to share: x.com/officer_cia/status/1884740598579540060
#ai #news #security
π₯6β€1π1
Vladimir S. | Officer's Channel
DeepSeek has been hacked: all of their data in the public domain - secret keys, unencrypted chats, logs, and even the backend. Researchers from wiz.io were performing a normal infrastructure check when they unintentionally uncovered a database that is fullyβ¦
1 Million Deepseek Data Breach
DeepSeek AI Data Breach Exposes Over 1 Million Logs and Sensitive Secrets - Chinese AI startup DeepSeek left a database exposed online, leaking over 1 million log lines, chat histories, API keys, and sensitive backend details
Seems service had backdoor
@EthSecurity1
DeepSeek AI Data Breach Exposes Over 1 Million Logs and Sensitive Secrets - Chinese AI startup DeepSeek left a database exposed online, leaking over 1 million log lines, chat histories, API keys, and sensitive backend details
Seems service had backdoor
@EthSecurity1
- Uniswap V4: Hooks Security Considerations
- kyberswap hacker arrested - crypto losses in janurary 2025 @EthSecurity1
- kyberswap hacker arrested - crypto losses in janurary 2025 @EthSecurity1
Certik
Uniswap V4: Hooks Security Considerations - CertiK
This article discusses some of the new features of Uniswap V4, and explores the security considerations related to Uniswap V4 hooks.
β€12
New Patrick Collins course
https://m.youtube.com/watch?v=nWsLw_1OpE0&pp=ygUMRnJlZWNvZGVjYW1w
@EthSecurity1
https://m.youtube.com/watch?v=nWsLw_1OpE0&pp=ygUMRnJlZWNvZGVjYW1w
@EthSecurity1
YouTube
Vyper and Python Smart Contracts on Blockchain β Full Course for Beginners
If you're interested in learning how to write software that runs on a blockchain distributed ledger database, this comprehensive course will teach you everything from scratch using Python and Vyper, even if you're a complete beginner.
The course will enableβ¦
The course will enableβ¦
π₯7
250 LBTC hacked form ionicmoney. why? because ionic listed fake LBTC on mode chain
Thus, the attacker can call mint() with fabricated inputs and pass the check. @EthSecurity1
Thus, the attacker can call mint() with fabricated inputs and pass the check. @EthSecurity1
π€―8π2π±1
Web3 Security Auditor's 2024 Rewind - The Highlights https://blog.openzeppelin.com/web3-security-auditors-2024-rewind @EthSecurity1
π7