EthSecurity

OpenMonero hacked again! 200 XMR stolen @EthSecurity1

How a hacker stole $1.34M from Raydium: - finds a bug inside Raydium's old 2021 code - targets 5 forgotten liquidity pools that were no longer being used. - generates fake ownership receipts to trick the system. - convinces the old program/code that he has liquidity that he never deposited. - withdraws real funds from the pools walks away with: > 150,177 $RAY > 5,603 $SOL > 893,700 $USDC @EthSecurity1

Raydium’s Legacy AMM V3 Exploited for $1.34 Million via LP Mint Validation Flaw @EthSecurity1

flash-loan exploit on mainnet for ~0.3225 ETH from the $SHIP Rootcause: $SHIP (Shina Printer) is an auto-reward token: it accrues an ETH "tax" and pays holders dividends in $SHI. To fund payouts, its distributor (0xa4EcC3c0…) market-buys $SHI on a Uniswap pool , with ZERO slippage protection. Attack TX: https://etherscan.io/tx/0x9868536a8c5b0414a5b6ef8fc534cb9cb8d7b6aa748d6a038f03228c529e8b2f @EthSecurity1

$TOP hacked for $1.59M Rootcuases: The attacker acquired more than 50% of TOP voting power, due to the token’s low market value, execute a governance proposal that minted a large amount of TOP to themselves @EthSecurity1

- What Are BLS Signatures and How Do They Work? - link - Pairing-Based Cryptography Demystified: A Deep Dive into Elliptic Curves - link @EthSecurity1

Syscoin hacked FOR 5B SYSCOIN An attacker exploited a validation issue in the bridge flow that resulted in an unauthorized SYS output being created on the UTXO side. The affected funds were moved and split after reaching the UTXO chain. We are actively tracing those funds and coordinating with exchanges and ecosystem partners to prevent the tainted outputs from being deposited, traded, or further distributed. @EthSecurity1

seems fixedfloat lock assets and never take back to users. do you verify it? @EthSecurity1

Why ZKTLS to TEE-TLS? - link - zcash exploit breakdown @EthSecurity1

Gravity Bridge did not offer a white-hat bounty. It did not send an on-chain message to the attacker. Hacker have money without legal problems @EthSecurity1

- ZK Math 101: Rings and Fields - link - Introducing sol-azy: A CLI Toolkit for Solana Program Static Analysis & Reverse Engineering - link - Move Bytecode Symbolic Execution Engine. -link @EthSecurity1

seems ZEC exploited to Mint unlimited supply and some influencers try pump to offload tokens @EthSecurity1

ATM token hacked for ~$243K Rootcause: transferFrom() includes logic to swap 20% transfer amount of ATM for BSC-USD, so the attacker can repeatedly swap out extra after transfer. @EthSecurity1

- Permanent Chain Split in Movement Full Node: Anatomy of a $6,710 Critical Vulnerability That Required a Hard Fork - link - The first two known exploits against live ZK circuits happened - link @EthSecurity1

HackerOne already stole all the researchers’ reports to build their AI agent, while they keep lying to us. they’re openly bragging about using 12+ years of real-world vulnerability data + your prior H1 Bounty findings to train their Hai agentic AI system. They built specialized recon, scanning, and exploit agents that follow the exact same workflow real researchers use at machine scale. All that knowledge researchers poured into the platform for years? Now it’s powering their proprietary AI product. And they still act like they’re the good guys protecting the hacker community. Fuck HackerOne. Stop feeding the machine that’s going to replace you. https://www.hackerone.com/product/h1-continuous-testing @EthSecurity1

After the @KelpDAO hack, many projects decided to migrate their cross-chain infrastructure from @LayerZero_Core to @chainlink 's CCIP, hoping to improve security for their users. The main selling point of CCIP compared to LayerZero is its “shared security” model, in which all cross-chain messages and transfers are supposedly validated by the same set of actors. set is equivalent to a 6/16 multisig While the OCR set is supposed to be roughly similar across all chains, a proper risk assessment requires checking and monitoring all of them on all the chains, given that a single misconfiguration or compromise on a single chain can cause loss of funds on other chains too. In the latest v1.6 contracts, only one OffRamp is deployed per chain. By contrast, the previous v1.5 protocol deploys one OffRamp per path, i.e. per chain pair, causing the number of contracts to be monitored and assessed to grow quadratically: 70*70=4900. Many tokens still use the v1.5 model. The OCR set can be changed through the “Active Risk Management” timelock, which defines a delay of 3h for regular operations but also an emergency path that can bypass it. The timelock is ultimately controlled by a set of deeply nested multisigs. @EthSecurity1

circle unblocklisted zama via tx 0x138894c10f7fe17fda87c5ff7799085a8cb3261d2c7c2491d6fe75d0abf814d7. 8hrs ago zama upgraded the implementation contract for cUSDC via tx 0x468f9a1433f795da68b88d6adb33f7180e86937d3f3437ec001173c52e7f35f4 which adds _an owner-controlled denylist_, i.e. blocked addresses cannot participate in confidential transfers, wraps, and unwraps.@EthSecurity1

A 2021 @dxsale locker, an unprotected admin key, $7.3 million gone. @DecurityHQ flagged the risk in 2023 for $500. Two compromised contracts holding $15.5 million remain untouched, for now @EthSecurity1

Canton chain lost 38% of its TVL in the last 24 hours. be ware of it @EthSecurity1

Canton chain lost 38% of its TVL in the last 24 hours.