a DoS vulnerability in the @eco vault contract

- Attacker cost: 1 wei
- Impact: Permanent refund lock for SC users
link

@EthSecurity1

What is x402
@Web3privacyy

@402bridge has been exploited. ~17K $USDC was stolen.
@EthSecurity1

Mastering ethereum 2ND Edition is out!
@EthSecurity1

an exploit on an unverified contract on Base that led to the loss of 55 WETH (~$220K)
Rootcause: The contract's public uniswapV3SwapCallback() method lacks proper access control and allows arbitrary transferFrom calls.
@EthSecurity1

seems balancer hacked for $70 M
update: hacked + 116M
beets finance has suffered damage from hacking.

@EthSecurity1

The Berachain validators have coordinated to purposefully halt the Berachain network as the core team performs an emergency hard fork to address Balancer V2 related exploits on the BEX.
All balancer forked protocols infected.

Balancer exploitation was so sophisticated.
@EthSecurity1

A letter from sonic community to balancer hacker :

We know you are selling $stS to $S, but there is no way out from Sonic chain.

You won't be swapping for USDC (will get frozen instantly), USDT is liquidity is too thin along with S/ETH & S/BTC (non -existent)

So bridging is just not possible, unless u willing to take 60 to 70% haircut by swapping $3.6M S to ETH or BTC.

And guess what!
SonicLabs has wiped out all $S / wS holding of the hacker.

Sonic foundation could freez coins of certain wallet
@EthSecurity1

Here is three reports that close to what happend to balancer V2

Certora: Balancer Exploit Explained: What Went Wrong and Why v3 Is Safe - link

Coinspect Security: Balancer V2 Stable Pools Exploit — Rate Manipulation - link

Blocksec: Balancer V2 Report - link

@EthSecurity1

Secure dApps Against UI Spoofing __ part 1 Decoding Transactions, part 2 Simulating Transactions

RACE #40 Of The Secureum Bootcamp Epoch∞ write up

@EthSecurity1

Seems balancer hacker 's wallet was initially frozen stS, bypassed prohibition and swap to wBTC,ETH

Permit transaction: 0xe3eab35b288c086afa9b86a97ab93c7bb61d21b1951a156d2a8f6f5d5715c475

@EthSecurity1

Balancer announced that it successfully executed a rescue of ~$4.1M following a new exploit path. detailed information has not yet been disclosed
@EthSecurity1

Bad opsec: Collection of links on bad opsec

https://github.com/jermanuts/bad-opsec

@EthSecurity1

The Crypto OpSec Bible - link

The cryptography behind passkeys - link

Understanding and Characterizing Obfuscated Funds Transfers in Ethereum Smart Contracts - link

@EthSecurity1

The TEE security handbook is live now.

This document covers:
+ Defining TEEs
+ TEE attacks categorisation
+ Deep dive of TEE platforms
+ Threat modelling around TEEs
+ Security layers for TEE protocols
+ Best practices for engineers & protocols

https://docs.bluethroatlabs.com

@EthSecurity1

How Aztec works - link

math bugs drain millions from Defi protocols - link

Hackers found a new way to phish — through browser notifications.
A new tool called Matrix Push C2 lets attackers send fake alerts that look like real ones from PayPal, Netflix, or TikTok.- Link
@EthSecurity1

nexa_network’s cross-chain token solution CATERC20 vulnerable to when switching owner it return zero. hacker used it to exploit port3 network. loss ~$160K
@EthSecurity1

Full list of packages that were affected by the latest npm attack :
ens packages
ethereum-ens
crypto-addr-codec
uniswap-router-sdk
valuedex-sdk
coinmarketcap-api
luno-api
soneium-acs
evm-checkcode-cli
gate-evm-check-code2
gate-evm-tools-test
create-hardhat3-app
test-hardhat-app
test-foundry-app
@accordproject/concerto-analysis
@accordproject/concerto-linter
@accordproject/concerto-linter-default-ruleset
@accordproject/concerto-metamodel
@accordproject/markdown-it-cicero
@accordproject/template-engine
@ifelsedeveloper/protocol-contracts-svm-idl

@EthSecurity1