4688
@web3privacy1 https://x.com/EthSecurity
Level up your blockchain security skills with hands-on shadow audits of real-world smart contracts. Get instant AI-powered feedback and track your progress.
https://secudoku.statemind.io/
@EthSecurity1
bug in rsETH minted $31,220,047,901,664,100,000
https://x.com/danielvf/status/1917677260343238906
@EthSecurity1
Loopscale hacked for ~ 5.7M USD and 1200 SOL
Root cause: one stale price feed → under-collateralized loans → exit liquidity.
all stolen funds returned to protcol!
@EthSecurity1
ImpermaxFinance hacked
The root cause of the ImpermaxFinance attack is the mispricing of Uniswap V3 NFTs.
@EthSecurity1
KiloEx Perp (https://x.com/KiloEx_perp) REKT
~4.2 million USD loss
Rootcause: price oracle access control issues.
Attacks:
https://basescan.org/tx/0x6b378c84aa57097fb5845f285476e33d6832b8090d36d02fe0e1aed909228edd
https://basescan.org/tx/0xde7f5e78ea63cbdcd199f4b109db2a551b4462dec79e4dba37711f6c814b26e6
https://bscscan.com/tx/0x1aaf5d1dc3cd07feb5530fbd6aa09d48b02cbd232f78a40c6ce8e12c55927d03
https://bscscan.com/tx/0x38b25be14b83fd549d5e0b29ba962db83d41f5f9072d0eac4f692fa8e7110bc0 @EthSecurity1
Ethereum Liquid Staking: Validator Deposit Risks & Mitigation - link
@EthSecurity1
Reduce The Risk of Cyber Attacks: Isolated Dev Environments - link
Mapping the DeFi crime landscape: an evidence-based picture - link
Yul Puzzles
@EthSecurity1
Use this list of fantastic telegram channels I've put together in order to discover them as your own personal Web3-Google!
Feel free to use this folder to onboard your non-web3 friends to Web3, as the majority of the channels are maintained by independent researchers. There are also additional channels for news, CT reviews, and more!
Link: t.me/addlist/uesom31GM1I4Yjgy
#telegram #offtopic
Trezor Reveals Potential Vulnerability in Older Safe 3 Crypto Wallets !
Trezor disclosed a potential vulnerability in its Safe 3 wallet after Ledger identified a supply chain attack using voltage glitching.
The attack requires physical access and advanced skills, making it unlikely for widespread exploitation. Newer Trezor models, including Safe 5, are unaffected. Users are advised to buy from official sources, use strong PINs, enable passphrases, and keep firmware updated.
• https://www.theblock.co/post/346018/trezor-discloses-vulnerability-safe-3-crypto-wallet-rival-ledger
#opsec #security
1inch market maker @trustedvolumes got hacked for over $4.5M and a few smaller MMs got hacked for $0.5M yesterday.
The root cause is that 1inch calls MM contract’s resolveOrders function to get funds to its settlement contract. Most bots only checked the msg.sender = settlement contract - and unfortunately there was an arbitrary call vulnerability in settlement contract. Thus the hacker could forge resolveOrders call and drain MM contracts.
The funny thing is the hacker incorrectly transferred half of the stolen funds to the 1inch settlement contract, making the funds available for everyone to grab, and he spent quite sometime to get funds back. We were trying to compete but the hacker got it first unfortunately.
By shoucccc
1inch Postmortem by decurity
https://blog.decurity.io/yul-calldata-corruption-1inch-postmortem-a7ea7a53bfd9
@EthSecurity1
critical vulnerability let in time.fun steal all trading fees and modify metadata (e.g. change "toly's minute" to "vitalik's minute") of every tokens launched.
time.fun provides each new user with a dedicated wallet to deposit USDC for trading. User's private key is securely stored in a third party provider. But SOL is needed to cover gas fees and time.fun wants a seamless interaction for users, the wallet “HW2C...Lo1H” signs every trade transaction alongside the user’s wallet signature. Surprisingly, this same wallet also owns all tokens launched by time.fun. As it is one of the signers, we can act on behalf of “HW2C...Lo1H” if we can let the backend sign arbitrary data.
@EthSecurity1
⚠️A critical vulnerability (GHSA-vjh7-7g9h-fjfh) has been discovered in the widely-used elliptic encryption library.
https://slowmist.medium.com/private-key-leakage-in-ecdsa-signatures-analysis-of-malformed-input-vulnerability-in-the-elliptic-24f73c05cac1 @EthSecurity1
Infini defi hacked for $50 million. all dai stolen change into ether and spread in accounts @EthSecurity1
Читать полностью…
the Lazarus hackers first found the targeted employees through social engineering, added private GitHub repository access to the victims or victimized employees through live chat tools, and tricked the users into running the code that contained the backdoor.
🧵
https://x.com/im23pds/status/1892767073605931065?s=61
High level Attack flow
https://x.com/dhkleung/status/1893073663391604753?s=61
@EthSecurity1
If you are running LND older than 0.18.5 and/or LITD older than 0.14.1, upgrade immediately. Apparently, affected Lightning nodes can be completely drained by attackers. #Bitcoin @EthSecurity1
Читать полностью…
The attacker behind the $186M Nomad Bridge hack has been identified as Alexander Gurevich, aka "Block".
He fits the profile of a crypto-native threat actor: skilled in smart contract exploitation but ultimately undone by poor opsec
poor guy. he is responsible for hacking 2.8 $M. hundreds of wallets participated in the nomad bridge exploit.
he is 47 years old and going to jail for 50 years.
note: do not change your name when leaving israel :)
https://www.jpost.com/israel-news/article-852464 @EthSecurity1
https://www.theblock.co/post/352364/aleph-zero-crypto-privacy-app-shielded-transactions-evm-chains-arbitrum
@EthSecurity1
10 Foundry best practices that every smart contract developer should know. link
One of the simplest and well explained video on Solana Security. link
Uniswap V3 Factory and the Relationship Between Tick Spacing and Fees. link
@EthSecurity1
Solana bootcamp full stack - link
Remedyctf write up - link
Breaking Down the Puzzles in ZK Hack V - link
@EthSecurity1
postmortem on HyperledgerBesu had the wrong address for the deposit contract - siladu/H1qydmWhyx">link
BRC20 Snipping Attack - link
Lessons from OpenZeppelin’s 1000+ Audits - link
@EthSecurity1
Check out this extremely detailed graphical breakdown of “the journey of a smart contract” - 𝕏/@officer_cia
Читать полностью…
DeFi Liquidation Vulnerabilities - link
Learn how to debug bytecode with huff and forge - link
Solidity Development with Foundry: Cast, Anvil, Chisel, and Forge by Ethereum Engineering group - link
@EthSecurity1
Issues in Protocols Interacting with Uniswap V3 Liquidity & Cross-Chain Swaps - link
Modern Stablecoins, How They're Made: M^0 - link
Bybit Hack Tracing Dune panel - link
@EthSecurity1
No More Bets - How Ctrl+F led to breaking Polymarket's polling markets - link
@EthSecurity1
At 23:00 CET on 05.03.25, the 1inch team discovered a vulnerability in resolver smart contracts using the obsolete Fusion v1 implementation. No end-user funds were at risk—only resolvers using Fusion v1 in their own contracts. @EthSecurity1
Читать полностью…
someone with a $500 bankroll accidentally discovered we were using an old FTM price to mark Sonic ($0.70 vs $0.50) and looped it $50/time in our UI for twelve hours today and like +40x'ed his port, whoever you are ggwp you deserve it (you should learn how to use an API tho)
https://x.com/tomkysar/status/1897125825889398817 @EthSecurity1
Hegic finance hacked for 0.8275 wBTC. root cause is developer forgot to subtract "t.share" value, user can withdraw multiple times. @EthSecurity1 #Reentrancy
Читать полностью…
What happens with Apple and users in england??
https://www.forbes.com/sites/davidphelan/2025/02/21/apple-warns-uk-iphone-owners-it-will-remove-encryption-protection/
@web3privacy1
Bybit hacked loss ~ $ 1.46 billion
@EthSecurity1
Seems Abstract wallets are being drained !
cardex_space involved
~ 180 ether loss
@EthSecurity1