Olivia
Online
BlockSec
@BlockSecTeam
Smart Contract Audit | Security Monitoring | AML/CFT (KYA/KYT) | Crypto Investigation | @Phalcon_xyz @MetaSleuth @MetaDockTeam 👉TG:
Joined December 2020
151 Following
27.2K Followers
2.2K Posts
Pinned Tweet
https://t.co/Lx4aRAUbQQ
🗓 Weekly Web3 Security Roundup | May 25 - May 31
🚨 Spotlight on 5 notable incidents | ~$16M lost this week
Featuring a vulnerability breakdown and in-depth analysis of selected key cases👇
https://t.co/MtsuhQ8nkX
Proud to be part of the SEAL Certifications initiative @_SEAL_Org
At BlockSec, we see this as an important step toward more standardized, credible, and transparent security auditing across Web3, helping build a more mature security assurance framework for the ecosystem.
If your protocol is ready to get certified, these firms are accredited and taking clients now.
Already working with one of them? Ask about SEAL Certifications starting today.
@audit_wizard @BlockSecTeam @chain_security @Composable_Sec @ConsensysAudits @cyfrin @DefiSafety @hackenclub @HackenProof @SecurityOak @OpenZeppelin @opsek_io @Quantstamp @0xshield3 @sigp_io @statemindio @trailofbits @Wonderland @zellic_io @zeroshadow_io
Announcement: https://t.co/7mYGchOI5q
.@StakeDAOHQ was reportedly exploited via a deployer key compromise, resulting in ~5.44T $vsdCRV minted to the attacker. The attacker appears to have obtained the deployer’s private key and set an arbitrary peer for $vsdCRV. Using that peer, they forged a malicious message that triggered unconditional minting of ~5.44T $vsdCRV to their address.
Who to follow
BlockSec Phalcon
@Phalcon_xyz
See Every Threat. Stop Every Hack. Stay Compliant. By @BlockSecTeam
Debug Tx | Block Hack | AML Screening | Illicit Fund Alerting https://t.co/RT0FyaxsIE
PeckShield Inc.
@peckshield
A blockchain security and data analytics company (telegram: https://t.co/x72dANZur3)
@bytes032.xyz
@bytes032
chief smart contract security cook @zenith256
🗓 Weekly Web3 Security Roundup | May 18 - May 24
🚨 Spotlight on 5 notable incidents | ~$104.6M lost this week
Featuring a vulnerability breakdown and in-depth analysis of selected key cases👇
https://t.co/BpujfpnZaa
An unknown contract named 'SquidRouterModule' was reportedly exploited on #Ethereum due to improper input validation, resulting in ~$3M in losses. @squidrouter has clarified that this incident is unrelated to Squid’s core protocol/contracts.
The root cause appears to be misuse of the Axelar Bridge, similar to the previous @crosscurvefi attack pattern (https://t.co/dIoTEpFQJL). The attacker (0xe1d5...3265) forged malicious calldata and abused approval permissions granted via PermissionManager (0x03B8...4cB7) to force token approvals from victims to Uniswap.
Using these malicious approvals, the attacker swapped victims’ assets for fake tokens (0xe6Ff...3512) through Uniswap pools and profited.
🗓 Weekly Web3 Security Roundup | May 11 - May 17
🚨 Spotlight on 3 notable incidents | ~$4.72M lost this week
Full analysis with vulnerability breakdown 👇
https://t.co/7Ttn4Bfn8D
#Web3Security
The root cause of the @VerusCoin incident appears to be improper validation of economic backing in the import submission flow [1].
Specifically, the Verus-Ethereum Bridge contract verifies that:
1) the export/notarization proof is valid, and;
2) keccak256(serializedTransfers) matches the export's hashtransfers commitment (i.e., hashReserveTransfers[1][2]).
However, it does NOT sufficiently validate that the source-chain export actually carries enough locked/burned value to support the corresponding payouts on Ethereum.
As a result, the attacker was able to submit a Verus export [3] with essentially no meaningful economic backing, but with a matching serializedTransfers hash, and the bridge still released ~$11.7M in ETH / tBTC / USDC [4].
At a high level, the vulnerable flow is:
1) proveImports(...)
-> validates the proof and checks that hash(serializedTransfers) matches the committed transfer hash;
2) processTransactions(...)
-> proceeds to execute the payouts on Ethereum
What is missing is a robust check that the source-chain export's actual economic backing is sufficient to support the imported transfers before assets are released.
Please note: the deployed code is not open-sourced. Our investigation is based on the attack transactions and code currently available in the official repository, which may not reflect the full deployed implementation or the complete attack surface.
References:
[1] https://t.co/M7MDDTWXOM
[2] https://t.co/ip7atKIje1
[3] https://t.co/TmW5jOAG1G
[4] https://t.co/h6oNYeFWk5
![Phalcon_xyz's tweet photo. The root cause of the @VerusCoin incident appears to be improper validation of economic backing in the import submission flow [1].
Specifically, the Verus-Ethereum Bridge contract verifies that:
1) the export/notarization proof is valid, and;
2) keccak256(serializedTransfers) matches the export's hashtransfers commitment (i.e., hashReserveTransfers[1][2]).
However, it does NOT sufficiently validate that the source-chain export actually carries enough locked/burned value to support the corresponding payouts on Ethereum.
As a result, the attacker was able to submit a Verus export [3] with essentially no meaningful economic backing, but with a matching serializedTransfers hash, and the bridge still released ~$11.7M in ETH / tBTC / USDC [4].
At a high level, the vulnerable flow is:
1) proveImports(...)
-> validates the proof and checks that hash(serializedTransfers) matches the committed transfer hash;
2) processTransactions(...)
-> proceeds to execute the payouts on Ethereum
What is missing is a robust check that the source-chain export's actual economic backing is sufficient to support the imported transfers before assets are released.
Please note: the deployed code is not open-sourced. Our investigation is based on the attack transactions and code currently available in the official repository, which may not reflect the full deployed implementation or the complete attack surface.
References:
[1] https://t.co/M7MDDTWXOM
[2] https://t.co/ip7atKIje1
[3] https://t.co/TmW5jOAG1G
[4] https://t.co/h6oNYeFWk5](https://pbs.twimg.com/media/HIlq_UJasAA_v7t.jpg)
.@VerusCoin's Verus-Ethereum Bridge smart contract (0x715185) was reportedly attacked hours ago on #Ethereum, with estimated losses of about $11.7M, including ~1,625.4 ETH, ~103.6 tBTC, and ~148K USDC. The stolen assets were transferred to 0x65cb8b and swapped into roughly 5,402.4 ETH (valued at ~$11.4M).
On-chain records show that the attacker address, 0x5abb91, was funded via Tornado Cash. The root cause remains under investigation.
Attack TX: https://t.co/h6oNYeFWk5
🗓 Bi-Weekly Web3 Security Roundup | Apr 27 - May 10
🚨 Spotlight on 11 notable incidents | ~$15.9M lost over the past two weeks
Featuring a vulnerability breakdown and in-depth analysis of selected key cases 👇
https://t.co/mUTGnBo3nU
#Web3Security
.@TransitFinance was reportedly attacked on #TRON, with estimated losses of about $1.88M. Since the affected contracts are not open-sourced and TRON lacks strong public analysis tooling, our investigation suggests the incident involved abuse of standing unlimited approvals.
Specifically, users had previously granted unlimited USDT allowance to its official approval contract:
TTLaNDdcL5rMfxMS2VL1UCa44ebRCNbqew (TransitApproveGovernanceTron)
The attacker then abused Transit’s own execution chain:
TUfPjKD6PbaWC4gDcA9u1WsJHv6vyUkbc4 (attack executor)
-> TFHc9qsQCiepyyUQynnVVrQwMxZ37Fi15N (TransitProxyV3Tron)
-> TUY2wroSG3hAyjQeWTuaJ8Gn5HJVsb7NPz (TransitMixSwapBridge)
-> TTLaNDdcL5rMfxMS2VL1UCa44ebRCNbqew (TransitApproveGovernanceTron)
-> TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t.transferFrom(...) (USDT)
This turned old standing approvals into direct victim-to-attacker USDT transfers. The figure shows one concrete example.
Alert! The contract 0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756 was exploited resulting in total losses of $5.87M. An attacker-controlled contract (0xD4D5DB5EC65272B26F756712247281515F211E95) was able to invoke the function 0x4112e1c2() to transfer the @trustedvolumes Market Maker's approved assets after registering as the allowed signer.
Attack TX: https://t.co/4rQoR4eE9F
.@EkuboProtocol was reportedly exploited on Ethereum hours ago, resulting in a loss of about $1.38 million (17 WBTC). The Ekubo team has urged users to revoke approvals to potentially affected router contracts.
The root cause was insufficient access control in a publicly accessible, closed-source router/wrapper contract (0x8ccb1f), which allowed an attacker to enter the Core lock flow, borrow WBTC via withdraw, and repay the debt using a victim's pre-existing token approval through payCallback -> transferFrom(victim, Core, amount).
Attack TX: https://t.co/HLGb6ZJYq7
Add multiple language and better mobile support to our USDT freeze monitor. Have fun!
https://t.co/rOmNZPxoce
Pulled the full event history behind last week's observation.
USDC froze 549 TRON wallets in 10h on Mar 24. USDT froze 521 of them in 9 days (plus 14 it froze earlier).
USDT has unfrozen 90. USDC, 4.
87 sit USDT-unfrozen but USDC-frozen. One just moved ~201K USDT to @binance.
ALERT! Our system detected a series of unusual transactions involving @wasabi_protocol on #Ethereum and #Base, with total abnormal fund movements of roughly $5.15M.
Preliminary traces suggest that Tornado Cash-funded accounts were later granted ADMIN_ROLE-related privileges and were involved in the relevant WasabiLongPool, WasabiShortPool and WasabiVault flows.
We are sharing the related transactions for visibility and encourage the team to review and clarify the associated fund movements and role changes.
WasabiLongPool & WasabiShortPool:
1) https://t.co/yjWGGtLVSs
2) https://t.co/gFUEnkwzgT
WasabiVault:
1) https://t.co/rPCo0WyXeQ
2) https://t.co/rIznAAsDYC
.@AftermathFi on #SUI was reported being attacked several hours ago, with direct losses of about $1.14M. According to the team, only Aftermath Perps was affected, while the exploit was caused by the protocol incorrectly allowing negative builder fees.
Based on our analysis of the on-chain disassembled Move bytecode, the underlying implementation issue was a semantic mismatch: builder fees were expected to be user-approved, non-negative values, but were validated through a signed fixed-point comparison over a u256 interface. In the disassembled calculate_taker_fees path, the critical check was:
// Builder fee is only checked against an upper bound.
// Missing invariant: fee must also be non-negative.
assert!(
ifixed::less_than_eq(
v5.taker_fee,
account::get_integrator_max_taker_fee(
account::get_integrator_config(arg1, v5.integrator_address)
)
),
errors::invalid_integrator_taker_fee()
);
Semantically, both values were expected to represent non-negative fee rates. However, ifixed::less_than_eq() performs a signed comparison. This means that once the attacker set max_taker_fee = 0, they could pass a value such as 2^256 - 10^16, which is interpreted under signed semantics as a negative fee, i.e. -10^16. Since -10^16 <= 0 holds, the check passed.
public fun create_integrator_info(arg0: address, arg1: u256): Option<IntegratorInfo> {
let v0 = IntegratorInfo {
integrator_address : arg0,
taker_fee : arg1,
};
option::some<IntegratorInfo>(v0)
}
The exploit path was further exposed because create_integrator_info() was publicly callable and did not enforce any permission or fee-bound validation on the supplied taker_fee.
let (v7, v8, v9) = calculate_taker_fees(...);
// v6 = taker PnL
// v7 = normal taker fee
// v8 = builder fee
//
// Intended effect:
// collateral += pnl - taker_fee - builder_fee
//
// If v8 is negative, subtracting it turns it into a positive credit.
position::add_to_collateral_usd(
arg0,
ifixed::sub(v6, ifixed::add(v7, v8)),
arg2
);
As a result, the negative builder fee was not merely accepted; it was transformed into a direct positive collateral credit during taker settlement. The attacker then deallocated that inflated free collateral back into the account balance and withdrew real USDC from the protocol.
Some thoughts:
1) This was not just a fee bypass: the negative builder fee was converted into positive collateral during settlement.
2) The exploit was permissionless: the attacker could self-configure the taker-side cap and inject the negative fee through a public path.
3) The actual loss was realized through the normal deallocate-and-withdraw flow, meaning the inflated collateral became real withdrawable USDC from the vault.
🗓 Weekly Web3 Security Roundup | Apr 20 - Apr 26
🚨Spotlight on 8 critical incidents | ~$7.04M lost this week
Full analysis with vulnerability breakdown 👇
https://t.co/uPxLbqGccq
#Web3Security
ALERT! Our system detected a suspicious transaction targeting an unverified contract (0x143a737bffc6414b61134f513ceed1a64390181a) on Ethereum a few hours ago, with an estimated loss of ~$983K. The root cause was a missing access-control check in the contract’s execute() function, which enabled arbitrary call execution.
By abusing a pre-existing unlimited yvWETH approval from the victim address (0x98289e90d6fc92a8769bc892d006a2baa7705afe), the attacker drained 384.67 yvWETH and later unwound the position for about 429.2 ETH.
Attack TX: https://t.co/CjS9S0biHi
🟦 Found by #PhalconSecurity, 🟦 Analyzed via #PhalconExplorer.
Kevin Lee (@kevinlee_gate), CBO at @Gate - came as a guest today and ended up on stage for the panel on "Regulating a Fragmented World"
Attendance has its privileges 😄
Moderator:
Matthew Jiang (@realMatthewJ), CSO @BlockSecTeam
Speakers:
Chris Barford, Partner, Financial Services Consulting at @EYnews
Julia Charlton, Principal Partner at @Charltonslaw
Joy Lam (@Jl0082021), Founder at Clarient Advisory
Regulatory fragmentation isn't temporary — it's the permanent operating environment. Build for it
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers