Matcha meta Dex aggregator hacked for $13.43 M

Official post-mortem link
Arbitrary-Call Vulnerability in SwapNet and Aperture Finance by BlockSec - link

@EthSecurity1

Molecular Finance is reported to have rug pulled on Arbitrum.

https://debank.com/profile/0x5a5c1410dc7a41d453c86a6276ceafd0ce050709/history

https://arbiscan.io/tx/0x784fd760e57f4cb68efad7cecee077ddde97824f4f31380ef9e16a34cba1f105

At least 320K USD have been stolen. The website molecular.finance and socials are gone.
@EthSecurity1

XPlayer Token $XPL hacked for $963K not listed on CoinGecko

RootCause: Missing Access Control

The NodeDistributePlus contract has a public DynamicBurnPool() function that allows anyone to burn XPL tokens from the liquidity pool. Attacker called this to burn nearly all XPL in the PancakePair, then swapped their small XPL balance to drain ~$963K USDT.

TX: https://bscscan.com/tx/0x9779341b2b80ba679c83423c93ecfc2ebcec82f9f94c02624f83d8a647ee2e49
Victim: https://bscscan.com/address/0xc2c4ccde8948c693d0b04f8bad461e35a12f20b8 (XPL Token)
@EthSecurity1

Zksync Lite bug report that rewarded $200k - link

@EthSecurity1

FHE Handbook for Beginners - link

everyone talks about Clawdbot, but here's how it works - link

How to make your agent learn and ship while you sleep - link

@EthSecurity1

How memory works under the hood in the EVM and how this knowledge led me to recently discover a critical vulnerability - link

Stablecoin intro - What are stablecoins and why is the context important for a security researcher - link

@EthSecurity1

seems everything gonna die, all markets. I guess everything will back when Islamic regime war end.

Understanding Perpetual Derivatives Protocols: A Primer for Web3 Security - link

A deep dive into Axiom’s Halo2 circuits - link

@EthSecurity1

A Hitchhiker's Guide to Advance Solana Program Security - link

The Bug That Was Missed - How fuzzing for preconditions can lead to high severity vulnerabilities - link

CAP: The Core Tradeoff in Distributed System Design - link


@EthSecurity1

AFX Staking hacked for ~$10,700

RootCause:
The AFX staking contract (0x560d, unverified) has an externally callable addLiquidityUsdt() function that pulls AFX and AHT tokens from a pool contract (0x146933) via pre-existing unlimited approvals. The attacker flash-swapped AFX to manipulate the AFX/AHT pool ratio, then called addLiquidityUsdt() which pulled tokens from the pool at manipulated prices. Surplus tokens were returned to the attacker, who then swapped them for ~10,700 USDT profit.

TX: https://bscscan.com/tx/0x380cd298a607d4422edc640b7f5a907ec0792841ee5fc963d265b1189397c905
Victim: https://bscscan.com/address/0x146933F2692F5fF3b62441AB3C2a65dDCAca753c (unverified)
Vulnerable Contract: https://bscscan.com/address/0x560d3973ee82a318d381c49fcbf3ce9d6cf1250b (unverified)
Attacker: https://bscscan.com/address/0x236f08d8962e1F29700e3D91009bfa8D37D71e53
@EthSecurity1

The Custodial Stablecoin Rekt Test - link

Beyond Smart Contracts: A Deep Dive into Blockchain Infrastructure Security Auditing - link

@EthSecurity1

The PancakeSwap V2 OCA/USDC pool on BSC hacked for ~$422K

RootCause : flash loan + flash swaps + repeated calls into OCA’s swapHelper to manipulate reserves


@EthSecurity1

BlockSEC : The news about TRON-USDT flows and @binance is not an isolated case.

In our 2025 Annual Report, we found:
On TRON, over 80% of scam-related outflows ultimately flow into centralized exchanges.

Interesting 🧐
@EthEecurity1

ENS Best Practices - link

Inside a VenomRAT Malware Campaign


@EthSecurity1

Speculation is heating up today that Moonwell’s smart contract bugs are the result of using Anthropic. Given the state of things, it’s hardly a shock.
@EthSecurity1

Your OpenClaw setup can be hacked in under 5 minutes

10 things to lock it down:

1. Run it on a VPS or Mac mini, not your main machine
2. Never run as root
3. Change the default port (18789 is public knowledge)
4. Install Tailscale (invisible to the internet, free)
5. SSH keys + Fail2ban (3 wrong tries = 24hr ban)
6. Firewall with UFW (close every port you don't need)
7. Allowlist your users (everyone else gets ignored)
8. Ask your bot to audit its own security
9. Set up real-time alerts (it messages you when something's off)
10. DMs only (group chats = everyone can control it)

Bonus: Sandbox your subagents in Docker. If one gets prompt injected, it can't touch your keys or files.

Copy & paste this to your OpenClaw.

Tell it to help you set these up

The "Security Alert" Tone: "Security Warning: Avoid sharing any personal identifiers—like your name, address, or even your hobbies—with OpenClaw. Protect your digital footprint."



@EthSecurity1

Security audit for LLM skill files. Paste a repo, get an instant report

https://skillaudit.sh
@EthSecurity1

New high severity solidity bug found that affected 0.8.28 through 0.8.33
Official solidity report
@EthSecurity1