This bug class appears everywhere:
• Cross-chain bridges
• Oracle integrations
• Signature verification
• Webhooks
• Smart contract authorization
The exploit changes.
The root cause doesn’t:
Trusting data without authenticating its origin
The $4.67M Secret Network exploit wasn’t an IBC bug or an Axelar bug.
It was an authentication bug.
The bridge verified the token name, but never verified who was allowed to mint it.
Here’s what every smart contract engineer should learn 🧵
Forking security-critical code isn’t a cosmetic change.
The moment you change the trust model, you’ve built a new protocol.
That deserves a fresh audit—even if you only deleted two lines.
Please,
Don’t build for traders.
Build for users.
If traders can’t profit from my protocol, but millions of users can benefit from it…
I’m okay with that.
Launching soon.
TAM: …
@cbventures@a16zcrypto
Auditing the protocol this week. Excellent, robust architecture—virtually bug-free. Highly commendable work by a top-tier development team.
Think it's completely bug-free? Think again. After nearly passing out from the effort, I finally found a bug.
@HackenProof Is it normal on
@HackenProof
that comments to triage on reports take 2-3 weeks to get a reply back? It's been 2 weeks and doesn't received any reply on my escalation by the triager. Hey
@HackenProof
guys, can you help me out?
Is it normal on @HackenProof that comments to triage on reports take 2-3 weeks to get a reply back?
It's been 2 weeks and doesn't received any reply on my escalation by the triager.
Hey @HackenProof guys, can you help me out?