Olivia
Online
KADA
@BAYCKada
Joined February 2024
33 Following
25 Followers
68 Posts
I've been teaching web3 security for several years now, both here on 𝕏 and non discord with @boringsecurity.
Every day it becomes more clear that while education is important, the only way towards mass adoption is to abstract away as much of this stuff as possible.
1/🧵
🗓️ SEPTEMBER CALENDAR IS HERE! 👇
Let's all have a #SafuSeptember and set a few hours of our month to get educated with #BoringSecDAO's FREE Security Classes! 🫡
Find a Class that suits your schedule, and hop in our Discord (link in bio) to sign-up. See you in class!
🚨Compound Labs Discord appears to be hacked 🚨
Do not interact with any rewards/airdrop links being posted in their discord
DEADLINE EXTENDED for our Adventures of Boredo Art Contest!
Submit your artworks before Sept 25, 12PM UTC.
Full details on the #artwork channel in our Discord (link in bio). 🫡
BAYCKADA x BORING SECURITY🫡
We're looking forward to welcoming more Filipino Apes into the #BoringSecurity safu squad in our @BAYCKada Web3 Security 101 Partner Class tomorrow. 🇵🇭
See you there, Apes!
How do honeypot tokens on the trending list bypass detections? 🐝🔍
By leaving a backdoor in permit signature verification, they can get any address's approval and transfer assets. 💼🔓
🚨 4 hours ago, someone lost $350k worth of PT-ENA after signing a "approve" phishing transaction.💸
🔒 Get our extension to enhance your security! 🛡️✨
https://t.co/in0eXyJN1g
📝 Phishing ads use dynamic redirects to disguise as official domains.👇
🚨 Phishing Alert: @Polymarket users targeted on Google search!
🔍 Protect your assets—avoid simple mistakes. Get our security extension now! 🛡️✨
Stay safe and alert! ⚠️
It seems today's victim @OnyxDAO (w/ >$3.8m loss) falls prey to a known precision issue in forked CompoundV2 code base. The drained funds include 4.1m VUSD, 7.35m XCN, 5k DAI, 0.23 WBTC, 50k USDT.
The bug is exploited to leverage a nearly empty market to manipulate the exchange rate and here is the related hack tx
https://t.co/grlEeU2nio
🚨 1 hour ago, another victim lost $251k worth of Aave USDC and Aave wstETH by signing multiple "permit" phishing signatures.💸
Address poisoning is on BTC now. The following is one concrete case. The phishing address (address 1) is disguising address 2 to send a small amount of BTC to address 3. Since addresses 2 and 3 have historic transactions, the attacker hopes to trick the owner into copying the wrong address.
The upgrade issue arises from performing the upgrade by directly invoking initializeV4 without first calling initializeV3. Consequently, _totalOperatorWeight remains uninitialized, allowing the signature check to be bypassed.
The upgrade tx: https://t.co/hKchMzOHOC
A few hours ago, Penpie @Penpiexyz_io , a farming protocol built on the Pendle Protocol, suffered a reentrancy attack resulting in a loss of ~$27M. Since Penpie has been paused, we are now providing a detailed root cause analysis.
This is a typical issue due to the lack of reentrancy guard. Specifically, the vulnerable contract (0xff51c6, the implementation contract of PendleStaking) fails to consider that the provided argument, i.e., markets, might be untrusted, which can abused to reenter into this contract.
Attack preparation TX: https://t.co/GfqcLFioiO
The attacker initially created a counterfeit SY (standardized yield token, i.e., 0x4476b). Although the SY tokens themselves were worthless, the contract was set up with two high-value PENDLE-LPT market tokens (i.e., 0x6010_PENDLE-LPT, 0x038c_PENDLE-LPT) as the reward tokens. By doing so, the attacker then created a market on Pendle and registered it on Penpie.
Attack TX: https://t.co/tyI6SmL5Ao
During the attack, the attacker executed the batchHarvestMarketRewards() function to harvest rewards, which were calculated based on the difference in balanceOf() before and after the redeemRewards() function was invoked. The redeemRewards() function, in turn, triggered the claimRewards() function of the specific market. As the protocol did not anticipate the possibility of a market being maliciously controlled, the attacker was able to re-enter the victim contract through the depositMarket() function.
After that, the attacker deposited the two high-value LPT market tokens, which were mistakenly treated as rewards. Simultaneously, the attacker received minted shares corresponding to these deposits. Consequently, the attacker could withdraw the same valuable LPT market tokens along with the corresponding shares minted in depositMarket(), and claim the reward to realize a profit.
(3/) Clear visualization of fund flow and balance changes
ALERT! Our system has detected hundreds of suspicious transactions targeting @InfernoBullWin since 09/11/2024. This appears to be a typical case of forced investment. While the average loss per transaction is only $1.5K, the total loss has reached ~$440K.
As there is no direct contact method for the project, please reach out to us if you have any questions.
Subscribe to BlockSec Phalcon today to get alerted in realtime and take automatic actions to protect your assets. https://t.co/5cGK9A1psv
.@OnyxDAO was attacked, resulting in a loss of nearly $4M. The root cause was unverified user input during the liquidation process. Specifically, key parameters of the liquidateWithSingleRepay function in the NFTLiquidation contract were controllable by the attacker, allowing manipulation of the extraRepayAmount variable through the repayAmount parameter. By exploiting this, the attacker was able to liquidate all collateral with just one token.
The key attack steps are summarized as follows:
1. The attacker first deposited oETH and borrowed various assets to reach the liquidation threshold. Simultaneously, they created a new contract that, through a donation attack and precision loss (inherent from the Compound V2 fork), reduced the oETH exchange rate, making the attacker's position eligible for liquidation.
2. The attacker then performed the liquidation. Due to insufficient parameter validation, the attacker manipulated the extraRepayAmount variable, which was added to the calculation of how many tokens needed to be liquidated. This allowed the attacker to obtain more oETH through liquidation, leading to a profit.
Attack Tx: https://t.co/JWaASUo0vM
The Knights are ready to ape ⚔️🍌
Last Seen Users on Sotwe
volkan
Seen from Turkey
คู่แท้ หาคนเย็ดหีเมีย
Seen from Thailand
กัสจัง
Seen from Thailand
🔥♠️♠️🔥
Seen from Netherlands
Aline Novinha
Seen from Puerto Rico
Arsalan
Seen from India
Thankun
Seen from Thailand
semih turk porno
Seen from Turkey
devraj_chahuan_123
Seen from India
JDM’s, Porn & Bikes
Seen from Oman
Most Popular Users
Elon Musk 
@elonmusk
240.5M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.4M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.5M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
72.9M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.7M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.6M followers