Jack Dorsey put 1.3 million dollars into it.
Vitalik Buterin gave it 128 ETH.
You have never heard of it.
It is called SimpleX. It is a messenger. It does not need a phone number. It does not need an email. It does not need a username. It does not need a user ID.
Not a hidden ID. Not a hashed ID. None at all.
Signal needs your phone number. WhatsApp needs your phone number. Telegram needs your phone number. Every messenger you have ever called "private" knows the one thing your bank, your stalker, and your country use to identify you.
SimpleX knows nothing.
It was built by Evgeny Poberezkin, a London-based engineer. Before this he wrote Ajv, the JavaScript validator that runs in 300 million downloads every month. He could have built anything.
He built the messenger with no users on the server.
Here is the trick.
Every other messenger gives you an identity. SimpleX gives you a connection. Each chat is its own one-way pipe. The server never sees who you are talking to. It does not even know you exist as a user.
11,327 stars. AGPL-3.0. Version 7.0 beta released two days ago.
iOS. Android. macOS. Windows. Linux. Free.
A 4-person team in London is the last line of defense between your conversations and every government, every advertiser, and every database breach.
The most private messenger ever built is the one you have never heard of.
(Link in the comments)
🚨🤯 We’re only halfway through 2026 and Web3 hacker activity already passed the full-year totals of both 2025 and 2024.
January 1 -> June 23:
2026: 155 hacks
2025: 40 hacks
For context, total hacks per year:
2025: 97
2024: 96
Ladies & gents, we have a hacker bull market.
a vault bug i recently found came down to this
ownership moved.
authority didn’t.
old admin → new admin
the admin field updated correctly.
but the old admin had previously been delegated trading access to the vault account.
that delegation was never revoked.
so they were no longer admin…
but could still trade with vault funds.
as a security researcher wen auditing role changes, don’t stop at `owner` / `admin`.
trace every shadow permission
delegations
capabilities
signer refs
callbacks
allowances
session keys
bcz most access-control bugs aren’t missing checks.
they’re old permissions nobody cleaned up.
🚨 In one audit, we found a Critical refund bug.
When a launch was voided, users were supposed to get ETH back based on their token share.
But the code calculated a normal percentage, then passed it into a function expecting basis points.
So 50% became 50 instead of 5000.
Result: refunds were 100x smaller than they should be.
Even worse, users holding less than 1% were rounded down to 0, meaning they received nothing.
Simple fix:
Use 10000 / BPS_BASE instead of 100 when calculating the user’s refund share.
a liquidation bug that paid a 20k usdc bounty came down to one tiny mismatch
the protocol asked one function
“is this liquidation profitable?”
it answered yes, using the raw mark price.
then settlement asked another function
“ok, settle it.”
but this one used the tick-rounded price.
suddenly the same position went from profit to loss.
the code hit an “impossible” state, reverted, and the liquidation became permanently stuck.
as a security researcher wen auditing, trace one economic action end-to-end.
if pricing, rounding, units, or fees change between check & settlement, that tiny mismatch can become the whole bug.
You can't miss reading these blogs, if you're a SR/Auditor :
- https://t.co/keLNUaFXOz
- https://t.co/4o70GEOA0N
- https://t.co/hjmExuBfIE
- https://t.co/YtU4bBeAOI
- https://t.co/b7huQ3Fkc6
- https://t.co/CzBkuxgQhA
- https://t.co/DnXtEngycl
- https://t.co/jbhdqyRIav
- https://t.co/5QCaDwREdM
- https://t.co/taqDyVF9r1
- https://t.co/oeVkompKpP
Save it anon, if you're an avid reader
How an attacker can Halt a chain holding $1,000,000,000 just by spending $5k on an attack
this bug was found by @marcohextor where he exploited a hidden 1 MB RPC limit and was awarded $50,000 bounty for it
Complete breakdown below 👇
🚨LATEST: Zcash is DOWN -27% today after multiple reports allege Claude Opus 4.8 uncovered a critical ZEC bug.
Sources say white hats have patched the vulnerability, though the network offers no clear way to verify whether it was previously exploited.
🚨 UPDATE: Zcash founder Zooko discloses a critical counterfeiting vulnerability in Zcash's Orchard pool that could have allowed unlimited undetectable $ZEC minting.
Discovered May 29 and patched by June 2.
Phishing and social engineering are getting more sophisticated at an exponential rate due to AI.
Proton just let a phishing email go through to my inbox that I think will compromise tens of thousands of folks.
How it seems to work: someone added my email to a real Google Group. They then sent out a message to all members of the group with subject line "Your Google data has been exported."
Obviously this will cause many people to panic. The email went through to my inbox because it came from a legit google group from a legit Google URL.
All links in the email look totally normal – unless you look at the link for "Cancel request" button. But amazingly this one also seems to come from a genuine Google URL – a URL shortener from Google! goo[dot]gl/XXXXX (not putting the real URL here).
Then it takes you to (1) a Recaptcha screen and then (2) a genuine looking Google account login screen. It's hosted on a Google site (sites[dot]google[dot]com) so everything looks legit.
Because all links are technically hosted by Google, this is very very bad.
self-transfers should be no-ops. send tokens to yourself → nothing changes. right?
but watch what happens if the code snapshots balances before writing.
let's say u have 100 tokens. u send 30 to yourself.
senderBal = balances[you] // 100
receiverBal = balances[you] // 100
balances[you] = senderBal - 30 // 70
balances[you] = receiverBal + 30 // 130
step 2 uses the old snapshot (100), not your new 70. the subtract gets erased.
you end with 130 ... the extra 30 came from nowhere. those tokens were minted from nothing. loop it → vault drained.
as a SR, always test transfer() with from == to, stale snapshots make self-transfers dangerous.
Top 5 exploits from this past week:
◼️ $7.3M drained from DxSale legacy locker on BNB Chain via EIP-7702
🔗 https://t.co/xwyPQD07iF
◼️ $5.4M drained from Gravity Bridge via suspected key compromise
🔗 https://t.co/LHbQT2jiLt
◼️ $3.2M drained from 86 Gnosis Safes via SquidRouterModule auth bypass
🔗 https://t.co/Fj4U7H1CLf
◼️ $815K drained from Alephium Bridge — 13.76M unbacked ALPH minted
🔗 https://t.co/hbuntyi983
◼️ ~$500K from 297 wallets across EVM chains via private key leak
🔗 https://t.co/3gtiHyCAlv
#PeckShieldAlert The @gravity_bridge has been drained of ~$5.4M, including $4.3M $USDC, 274 $ETH (~$553K), $434K $USDT & 14.164 $PAYG ($64K)
The hacker has laundered a portion of the stolen assets through #ChangeNow & #Binance, and is still holding 2.102K $ETH (~$4.23M).
Vault inflation attack
x axis = donation amount
purple region = where attack is possible
green line = profit (attack vs no attack)
green line above y = 0 and inside purple region is where attack is profitable
Graph
https://t.co/FUoaFGtaLs
Code + notes
https://t.co/ljbq0YKgvF
🚨SlowMist TI Alert🚨
💸 Loss: 85,519.47 USDT
🔍 Root Cause: The `cliamRewred` function in `LegendaryMoneyMonNft` allows arbitrary reward claiming. The only authorization depends on `verify()` which checks `recoverSigner(...) == admin`. `recoverSigner` does not validate `ecrecover` returning `address(0)`, and `changeadmin()` allows setting admin to zero address. The attacker used an invalid signature (r=0, s=0, v=27) which returns `address(0)` from `ecrecover`, passing the check because `admin` was zero address at that moment.
📌 Attacker: 0xe1582248c593df4b367e131922438fec9d76e787
📌 Victim Contract: 0x92d60629ff5d53a0098b51e9b1d59546d1d8e5b6
📌 Vulnerable Contract: 0x92d60629ff5d53a0098b51e9b1d59546d1d8e5b6
The attacker exploited the zero-address signature bypass to drain all tokens from the contract and swapped them for USDT via PancakeSwap.
Powered by #SlowMist.AI
🚨SlowMist TI Alert🚨
💸 Loss: 49.4801 WETH (~$98315.16)
🔍 Root Cause: An access control vulnerability exists in the `onlyOwner` modifier of the ONTR token contract. When `owner == address(0)`, any address can pass the check. Before the attack, the address's owner was always zero. The attacker exploited this vulnerability by calling `transferOwnership()` to set the attacker contract as the owner, then calling `desertJasper()` to add a hidden balance to the queue, and finally calling `glenFlash()` to execute `ashBud()`, directly increasing the address balance by `1e30` primitive units without adding `totalSupply`. The attacker then transferred the inflated tokens to a standard `PancakePair` and swapped them for real WETH using `swap()`.
📌 Attacker EOA: 0xe806b37a9f965bd9d54aadf9560c78957550b760
📌 Victim Pair: 0xd46d89f4675bc96328fbdeb443842cdb5fcd83fd
📌 Vulnerable Token Contract: 0xf074865358b0dd039beee075831f8a2ae6b1f3f3
Attack Impact: The attacker exploited an access control vulnerability in the token contract to inflate the balance, minting tokens for free and then stealing WETH from legitimate AMM liquidity pools.
Powered by #SlowMist.AI